zlib advisory ?

Gerard Beekmans gerard at linuxfromscratch.org
Tue Mar 12 16:05:33 PST 2002


On Tue, Mar 12, 2002 at 03:48:52PM -0500, Bill Maltby LFS Related wrote:
> When you ref the ones with their own copy of zlib, are you meaning
> they compiled a copy in or they are statically linked.

I was talking about the packages that include a zlib based code, but was
edited to fit their own needs. The PPP code in the kernel is an example of
it. While you don't need /usr/lib/libz.a or libz.so, it does come with zlib
code.

Those are the harder ones to spot because you'd have to figure out which
packages use modified private libz code and if that code chunk that's
borrowed is affected by thsi bug, then you have to find out how to update
those packages. A straight copy from the new zlib may not work because they
may have modified that code in some way (else they'd probably just require
you to install libz which would be easier and better).

Now, there are ones that just link statically with libz. For those it's
just a matter of recompiling the package to link with the newer libz and
all will be well. It's a bit more bothersome to find out, but less work to
fix when you finally do find them all.

-- 
Gerard Beekmans
www.linuxfromscratch.org

-*- If Linux doesn't have the solution, you have the wrong problem -*-
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list