vulnerable zlib in testing?

Matthew Burgess matthew at linuxfromscratch.org
Sun Sep 12 09:12:54 PDT 2004


On Sun, 12 Sep 2004 08:00:11 -0700
"Kevin P. Fleming" <kpfleming at linuxfromscratch.org> wrote:

> Matthew Burgess wrote:
> 
> > I'll leave that for future discussion.  I don't see why we can't do
> > this
> > - other than needing a script that will tell us that kind of
> > information of course.
> 
> The find-zlib script seems to work fine. The only items I found in a 
> standard LFS install that have zlib in them are:
> 
> /lib/libz.so.1.2.1 (duh <G>)
> /sbin/modprobe, /sbin/depmod, /sbin/modinfo (from module-init-tools)
> /usr/bin/cvs (which has embedded zlib 1.1.4, which is even worse)

In addition, it would appear as if the linux kernel has an in-tree copy
of zlib-1.1.3 (see linux-2.6.8.1/lib/zlib_inflate/inftrees.c).  Unless
that version has a fix for
http://www.gzip.org/zlib/advisory-2002-03-11.txt, then whatever kernel
features need it would presumably be susceptible to that vulnerability
too.

Matt.



More information about the lfs-dev mailing list