vulnerable zlib in testing?

Igor Zivkovic igor at linuxfromscratch.org
Sun Sep 12 09:08:19 PDT 2004


Matthew Burgess wrote:
> "Kevin P. Fleming" <kpfleming at linuxfromscratch.org> wrote:
>
>> I am more concerned about CVS having an embedded zlib, and it not
>> being the one that we build as part of LFS. Should we change the book
>> to force CVS to use the system's zlib, even if it still links
>> statically?
>
> Well, yes, but that's a BLFS issue of course - last time I looked we
> didn't install CVS as part of an _LFS_ install :)  Anyway, for what it's
> worth I've just installed the latest version of CVS and it still links
> to the in-tree zlib (1.1.4) statically.  Moreover, I didn't see a switch
> to ./configure that enables one to use the system installed zlib.  This
> particular DoS is only applicable to 1.2.x versions anyway, but then
> 1.1.4 is prone to other security issues anyhow!

We used to have the patch for CVS in the book until it was decided to
only keep required patches i.e. the ones that fix broken functionality.
See
http://www.linuxfromscratch.org/patches/downloads/cvs/cvs-1.11.9-zlib-1.patch

Personally, I'd like to see this one back in the book.

-- 
Igor Zivkovic



More information about the lfs-dev mailing list