vulnerable zlib in testing?

Matthew Burgess matthew at linuxfromscratch.org
Sun Sep 12 07:41:23 PDT 2004


On Sun, 12 Sep 2004 07:31:41 -0700
"Kevin P. Fleming" <kpfleming at linuxfromscratch.org> wrote:

> Laurens Blankers wrote:
> 
> > The following patch was posted to the lfs-security list:
> > 
> > http://bugs.gentoo.org/show_bug.cgi?id=61749
> > 
> > It is used by both Gentoo and Debian. I have used it when building
> > my 
> > LFS 6.0-testing-20040905 system and everything appears to work fine.
> 
> This brings up an important point; I would like to see some text in
> the 
> books that tells the user when a package links itself against another 
> package's library _statically_.

I'll leave that for future discussion.  I don't see why we can't do this
- other than needing a script that will tell us that kind of
information of course.

> 
> In this case, I know I can reinstall zlib with the patch, and anything
> 
> that links to libz.so will be using the patched version when it next 
> gets loaded. What I don't know (conclusively) is which packages in a 
> standard LFS install link themselves to libz.a at build time, thus 
> necessitating a rebuild of those dependent packages if zlib is 
> updated/upgraded.

http://www.linuxfromscratch.org/pipermail/lfs-security/2004-August/001274.html.
 Of course, this is particular to zlib, but it should help out with your
immediate concerns.

Cheers,

Matt.



More information about the lfs-dev mailing list