zlib advisory ?

Daniel Roethlisberger daniel at roe.ch
Fri Mar 15 04:36:53 PST 2002


Clemens Kirchgatterer <clemens at thf.ath.cx> wrote:
> i do not think so. AFAIK the kernel uses zlib only for
> decompressing itself on bootup. as this is a very "defined"
> action, i wouldn't expect it to fail, only because this bug has
> been found. but of course i could be wrong.

Nope. A (modified) zlib is at least used in the networking and ppp
compression code (might be other places too, in parts which I have
disabled on my systems, and thus never compiled). Whether it is
exploitable there I cannot tell for certain, in the ppp code I
should think it would be, if only by your ppp peers. Updating it
to a fixed zlib manually requires a bit of kernel hacking, as they
did not use the zlib source verbatim. Best wait for a fixed
kernel, 2.2 was fixed in 2.2.21rc1 . Maybe searching the
linux-kernel list archives will give you a patch for 2.4 .

Cheers,
Dan

-- 
   Daniel Roethlisberger <daniel at roe.ch>
   PGP Key ID 0x8DE543ED with fingerprint
   6C10 83D7 2BB8 D908 10AE  7FA3 0779 0355 8DE5 43ED

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list