vulnerable zlib in testing?
bdubbs at swbell.net
Sun Sep 12 09:27:57 PDT 2004
Kevin P. Fleming wrote:
> Matthew Burgess wrote:
>> In addition, it would appear as if the linux kernel has an in-tree copy
>> of zlib-1.1.3 (see linux-220.127.116.11/lib/zlib_inflate/inftrees.c). Unless
>> that version has a fix for
>> http://www.gzip.org/zlib/advisory-2002-03-11.txt, then whatever kernel
>> features need it would presumably be susceptible to that vulnerability
> That fix was slipstreamed into the kernel version, without upgrading
> it to 1.1.4. I don't remember the exact reason why they chose that
> path, but I do remember it happened.
On top of that, the ONLY call to zib there is when the kernel is built
and then extracted upon boot. I see no way to exploit the vulnerability.
More information about the lfs-dev