From owner-freebsd-security Mon Mar 18 8:20:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 95C8B37B402 for ; Mon, 18 Mar 2002 08:20:35 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id 16B5C13667; Mon, 18 Mar 2002 11:20:35 -0500 (EST) Date: Mon, 18 Mar 2002 11:20:34 -0500 From: Chris Faulhaber To: "Jason DiCioccio (reply)" Cc: security@freebsd.org Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Message-ID: <20020318162034.GA96424@peitho.fxp.org> References: <200203181500.g2IF04W32492@freefall.freebsd.org> <2918868125.1016439371@[192.168.4.56]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g" Content-Disposition: inline In-Reply-To: <2918868125.1016439371@[192.168.4.56]> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 18, 2002 at 08:16:11AM -0800, Jason DiCioccio wrote: > I'm a bit confused now. So FreeBSD, 4.5-RELEASE is vulnerable? I Yes, any software that uses libz is vulnerable to the double-free bug (but not necessarily exploitable). > am a bit unclear on this as I thought phkmalloc was not vulnerable > to the double-free bug. Or does this only affect binaries > statically linked with older revisions of libc and linux binaries? >=20 Unlike some other malloc(3) implementations, phkmalloc is not believed to be exploitable. However, the side effects of the double-free bug in libz may include an application crashing due to the decompression of invalid data, warnings from phkmalloc, and applications abort(3)'ing if the 'A' malloc option is used. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjyWE9IACgkQObaG4P6BelDBwQCgklAvrRfuOkFq0nOeYZ/KafPL vJIAniEEHArnzUk4X9Sj1MZtBAS05zgM =BXJi -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message