[24682] in bugtraq
Re: [RHSA-2002:026-35] Vulnerability in zlib library
daemon@ATHENA.MIT.EDU (Mark J Cox)
Wed Mar 13 22:59:01 2002
Date: Wed, 13 Mar 2002 22:29:56 +0000 (GMT)
From: Mark J Cox <mjc@redhat.com>
To: bugtraq@securityfocus.com
Cc: linux-security@redhat.com
In-Reply-To: <20020313110419.GB12453@batory.org.pl>
Message-ID: <Pine.LNX.4.21.0203132225200.2158-100000@localhost.localdomain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
> I have used find-zlib perl script [2] (linked from the zlib homepage [3])
> to find out which programs use staticly linked zlib and got the
> following output on "rpm" binary:
But not all programs that make use of zlib are actually vulnerable in a
useful way. zlib is only used in RPM for the payload which is only
decompressed on package installation. Therefore as far as I can tell this
could only be exploited if you are installing a trojan package. There are
many easier ways for a trojan package to compromise your system.
Cheers, Mark
--
Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation
mjc@redhat.com // T: +44 798 061 3110 / F: +44 845 333 9533
