From owner-freebsd-security Tue Mar 12 10: 4:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.6]) by hub.freebsd.org (Postfix) with ESMTP id A34C837B416 for ; Tue, 12 Mar 2002 10:04:52 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g2CI4k528525; Tue, 12 Mar 2002 13:04:47 -0500 (EST) Date: Tue, 12 Mar 2002 13:04:46 -0500 (EST) From: Trevor Johnson To: Brian Behlendorf Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:16.netscape In-Reply-To: <20020312092148.J653-100000@localhost> Message-ID: <20020312125415.W25328-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brian Behlendorf wrote: > On Tue, 12 Mar 2002, Trevor Johnson wrote: > > Regardless, I'd recommend that you update to Mozilla 0.9.9, because of the > > zlib "double free" bug. Mozilla contains its own copy of the zlib code, > > which was corrected as of version 0.9.9. > > Unless I misunderstand something, even those apps with their own > statically linked copies of zlib are not vulnerable on freebsd due to > freebsd's malloc implementation, right? Unless they also statically > compiled in glibc? I would suppose that dynamically linking to glibc would cause problems too. The Linux binary of Mozilla, which I assumed Dave Hawkey was asking about, does that (I updated the port of it today). I would suppose that the native Mozilla might be fine--unless, as you suggest, it contains its own copy of GNU malloc. -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message