Fwd: Re: zlib-1.1.4 out - security fix

Gerard Beekmans gerard at linuxfromscratch.org
Tue Mar 12 11:02:54 PST 2002


Rasmus Andersson, you have to fix your headers. Your spam protectio in your
headers is violating all kinds of standards. Postfix allowed the mail
through, but listar doesn't and I rather not have to forward all your mail.

Anyways, here's the message:

----- Forwarded message from Listar <gerard at linuxfromscratch.org> -----

From: Listar <gerard at linuxfromscratch.org>
To: gerard at linuxfromscratch.org
Subject: Listar Error Report
Date: Tue, 12 Mar 2002 10:57:52 -0800 (PST)
Delivered-To: gerard at localhost.gwaihir.linuxfromscratch.org
Delivered-To: gerard at linuxfromscratch.org
X-listar-antiloop: shadowfax
X-UIDL: ~BP!!\G2!!CZ%#!Sp_"!

Error report:

    User: 
   Error: Received mail without valid return address.
-- queuefile in error --
>From "spamfu**er(listbox)"@pole-position.org  Tue Mar 12 10:57:52 2002
Return-Path: <"spamfu**er(listbox)"@pole-position.org>
Message-ID: <3C8E4FAD.C5D88FDE at pole-position.org>
Date: Tue, 12 Mar 2002 19:57:49 +0100
From: Rasmus Andersson <"spamfu**er(listbox)"@pole-position.org>
To: lfs-security at linuxfromscratch.org
Subject: Re: zlib-1.1.4 out - security fix
References: <20020311172354.M689 at gwaihir.linuxfromscratch.org> <Pine.LNX.4.44.0203112228510.289-100000 at brick.hn.org> <20020311174403.P689 at gwaihir.linuxfromscratch.org> <20020312004218.A500 at markcomp>

Mark Hymers wrote:
> Personally I think it's the one of the best arguments I've ever seen for
> *dynamic* linking of libraries.  I'm glad my copy of openssh uses the
> dynamic copy (I have heard that some distros have libz statically
> compiled in - the question WHY springs to mind..).  If it's all dynamic,
> one small upgrade and the problem's fixed.

The short answer to WHY is performance, shared libs are slower. SSH and
gzip is two of the pretty few programs that I really WANT to have as
optimized as possible.

That is probably also the reason for zlib being so widely used in static
and even private implementations - compression is CPU intensive, so
optimizing it is sensible (as opposed to the significant time I and many
other freaks are investing in compiling glibc and other stuff with
compiler optimizations, which gives much pain and unmeasurable gain :-)

Anyway one comes to think there may be other libs with the same
attributes: widely used, often included in packages and often statically
compiled. Find the next one and find it's dreadful exploits before
Dr3adful Haxxor does - and roots you! ;-)

/R

---
End of error report.

----- End forwarded message -----

-- 
Gerard Beekmans
www.linuxfromscratch.org

-*- If Linux doesn't have the solution, you have the wrong problem -*-

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list