From owner-freebsd-security Mon Mar 11 18:25:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id BD50C37B402 for ; Mon, 11 Mar 2002 18:25:40 -0800 (PST) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id C91452D0496; Mon, 11 Mar 2002 20:25:39 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g2C2PcY23553; Mon, 11 Mar 2002 20:25:38 -0600 (CST) (envelope-from hawkeyd) Date: Mon, 11 Mar 2002 20:25:38 -0600 (CST) Message-Id: <200203120225.g2C2PcY23553@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 1.0b.1 Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <00e101c1c942$b6bfeb60$3028680a_tgt.com@ns.sol.net> <20020312022651.A14838_fnyx.vmunix.dk@ns.sol.net> In-Reply-To: <20020312022651.A14838_fnyx.vmunix.dk@ns.sol.net> From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: zlib overflow problem? X-Original-Newsgroups: sol.lists.freebsd.security To: sst@vmunix.dk, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <20020312022651.A14838_fnyx.vmunix.dk@ns.sol.net>, sst@vmunix.dk writes: > On Mon, Mar 11, 2002 at 03:21:30PM -0600, Thomas T. Veldhouse wrote: >> Where did you see that information. I can not verify your statement. >> >> Here is the RedHat posting. They don't even mention any changes or updates >> to glibc. > > The zlib bug is an issue on Linux-systems due to the brokeness of > glibc malloc. > > There aren't any changes or updates to glibc because this specific > issue was resolved within zlib; fixing the double free(), which > causes a warning on most systems but trouble on glibc-systems. Um, on FreeBSD, aren't we talking about /usr/local/lib/libglib12.*? The library that so many Linux-born apps that are found in the ports collection depend on? If so, then aren't any ports that depend on it and libz vulnerable? Taking it a step further, aren't _any_ of the ports that depend on libglib12 at least suspect? If so [again], then the one comment on Slashdot is all too accurate: "This is huge.". If not for us BSDen, certainly for the Linuxen. If they won't fix their glibc, and it is one as the same as libglib12, wouldn't a patch-update for the libglib12 port fix things for us? TIA, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message