vulnerable zlib in testing?

Bruce Dubbs bdubbs at swbell.net
Sun Sep 12 09:27:57 PDT 2004


Kevin P. Fleming wrote:

> Matthew Burgess wrote:
>
>> In addition, it would appear as if the linux kernel has an in-tree copy
>> of zlib-1.1.3 (see linux-2.6.8.1/lib/zlib_inflate/inftrees.c).  Unless
>> that version has a fix for
>> http://www.gzip.org/zlib/advisory-2002-03-11.txt, then whatever kernel
>> features need it would presumably be susceptible to that vulnerability
>> too.
>
>
> That fix was slipstreamed into the kernel version, without upgrading 
> it to 1.1.4. I don't remember the exact reason why they chose that 
> path, but I do remember it happened.

On top of that, the ONLY call to zib there is when the kernel is built 
and then extracted upon boot.  I see no way to exploit the vulnerability.

  -- Bruce





More information about the lfs-dev mailing list