vulnerable zlib in testing?
matthew at linuxfromscratch.org
Sun Sep 12 07:41:23 PDT 2004
On Sun, 12 Sep 2004 07:31:41 -0700
"Kevin P. Fleming" <kpfleming at linuxfromscratch.org> wrote:
> Laurens Blankers wrote:
> > The following patch was posted to the lfs-security list:
> > http://bugs.gentoo.org/show_bug.cgi?id=61749
> > It is used by both Gentoo and Debian. I have used it when building
> > my
> > LFS 6.0-testing-20040905 system and everything appears to work fine.
> This brings up an important point; I would like to see some text in
> books that tells the user when a package links itself against another
> package's library _statically_.
I'll leave that for future discussion. I don't see why we can't do this
- other than needing a script that will tell us that kind of
information of course.
> In this case, I know I can reinstall zlib with the patch, and anything
> that links to libz.so will be using the patched version when it next
> gets loaded. What I don't know (conclusively) is which packages in a
> standard LFS install link themselves to libz.a at build time, thus
> necessitating a rebuild of those dependent packages if zlib is
Of course, this is particular to zlib, but it should help out with your
More information about the lfs-dev