From owner-freebsd-security Tue Mar 12 7:38:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 15C8A37B85C; Tue, 12 Mar 2002 07:35:55 -0800 (PST) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id g2CFYrp79704; Tue, 12 Mar 2002 10:34:53 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020312102633.027e5e40@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 12 Mar 2002 10:29:06 -0500 To: "Brian F. Feldman" , "Jacques A. Vidrine" From: Mike Tancsa Subject: Re: zlib and FreeBSD (was Re: RedHat advisory - RHSA-2002:026-35 zlib double free -- Is this 4.5-R-p1?) Cc: freebsd-security@FreeBSD.ORG, jedgar@FreeBSD.ORG In-Reply-To: <200203121511.g2CFB3U10275@green.bikeshed.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Although it sounds like the bug is not exploitable on FreeBSD, is there a potential for a Denial of Service still with systems prior to the Feb 22 commit? ---Mike At 10:11 AM 3/12/02 -0500, Brian F. Feldman wrote: >"Jacques A. Vidrine" wrote: > > In addition to Poul-Henning's information below, the zlib bug was also > > patched in the security branches around February 22nd ``just in > > case.'' Likewise, similar code in the kernel was fixed > > (sys/net/zlib.c). > > > > Hmm, I just noticed that for some reason, the fixes don't seem to have > > been committed to -CURRENT or -STABLE. Maybe Chris had a reason for > > this. It may be a moot point soon, as Brian has recently imported the > > new (fixed) zlib into -CURRENT, and I imagine he will merge it into > > -STABLE before long. > >Yes, I plan on MFCing it soon, since I have it on my RELENG_4_5 desktop and >it seems to work just fine (as I imagine it darn well should). Even though >we're not vulnerable, and the bug is fixed earlier, I want to be able to say >that we ship a known-good copy of zlib and have the version numbers there to >back it up. Sound reasonable? > >-- >Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ > <> green@FreeBSD.org <> bfeldman@tislabs.com \ The Power to Serve! \ > Opinions expressed are my > own. \,,,,,,,,,,,,,,,,,,,,,,\ > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message