Date: Mon, 11 Mar 2002 20:25:38 -0600 (CST) From: hawkeyd@visi.com (D J Hawkey Jr) To: sst@vmunix.dk, freebsd-security@freebsd.org Subject: Re: zlib overflow problem? Message-ID: <200203120225.g2C2PcY23553@sheol.localdomain> In-Reply-To: <20020312022651.A14838_fnyx.vmunix.dk@ns.sol.net> References: <00e101c1c942$b6bfeb60$3028680a_tgt.com@ns.sol.net> <20020312022651.A14838_fnyx.vmunix.dk@ns.sol.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <20020312022651.A14838_fnyx.vmunix.dk@ns.sol.net>, sst@vmunix.dk writes: > On Mon, Mar 11, 2002 at 03:21:30PM -0600, Thomas T. Veldhouse wrote: >> Where did you see that information. I can not verify your statement. >> >> Here is the RedHat posting. They don't even mention any changes or updates >> to glibc. > > The zlib bug is an issue on Linux-systems due to the brokeness of > glibc malloc. > > There aren't any changes or updates to glibc because this specific > issue was resolved within zlib; fixing the double free(), which > causes a warning on most systems but trouble on glibc-systems. Um, on FreeBSD, aren't we talking about /usr/local/lib/libglib12.*? The library that so many Linux-born apps that are found in the ports collection depend on? If so, then aren't any ports that depend on it and libz vulnerable? Taking it a step further, aren't _any_ of the ports that depend on libglib12 at least suspect? If so [again], then the one comment on Slashdot is all too accurate: "This is huge.". If not for us BSDen, certainly for the Linuxen. If they won't fix their glibc, and it is one as the same as libglib12, wouldn't a patch-update for the libglib12 port fix things for us? TIA, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203120225.g2C2PcY23553>