From owner-freebsd-security Mon Mar 11 18:31:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from goofy.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id B060737B419 for ; Mon, 11 Mar 2002 18:31:18 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Mon, 11 Mar 2002 18:31:17 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFF49B@goofy.epylon.lan> From: "DiCioccio, Jason" To: "'hawkeyd@visi.com'" , sst@vmunix.dk, freebsd-security@freebsd.org Subject: RE: zlib overflow problem? Date: Mon, 11 Mar 2002 18:31:16 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 glib is not glibc. If you want to talk glibc, there is a copy in /compat/linux if you installed linux-base* Cheers, - -JD- - -----Original Message----- From: hawkeyd@visi.com [mailto:hawkeyd@visi.com] Sent: Monday, March 11, 2002 6:26 PM To: sst@vmunix.dk; freebsd-security@freebsd.org Subject: Re: zlib overflow problem? In article <20020312022651.A14838_fnyx.vmunix.dk@ns.sol.net>, sst@vmunix.dk writes: > On Mon, Mar 11, 2002 at 03:21:30PM -0600, Thomas T. Veldhouse wrote: >> Where did you see that information. I can not verify your statement. >> >> Here is the RedHat posting. They don't even mention any changes or updates >> to glibc. > > The zlib bug is an issue on Linux-systems due to the brokeness of > glibc malloc. > > There aren't any changes or updates to glibc because this specific > issue was resolved within zlib; fixing the double free(), which > causes a warning on most systems but trouble on glibc-systems. Um, on FreeBSD, aren't we talking about /usr/local/lib/libglib12.*? The library that so many Linux-born apps that are found in the ports collection depend on? If so, then aren't any ports that depend on it and libz vulnerable? Taking it a step further, aren't _any_ of the ports that depend on libglib12 at least suspect? If so [again], then the one comment on Slashdot is all too accurate: "This is huge.". If not for us BSDen, certainly for the Linuxen. If they won't fix their glibc, and it is one as the same as libglib12, wouldn't a patch-update for the libglib12 port fix things for us? TIA, Dave - -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPI1qa78+wXo6G32BEQKV4QCcCX1EoBX/q0bWPAtogVoIRWrzxLAAnR6L Dbj31gcq1x1Cjg6g3ZxDwsy0 =eHzF -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message