[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: zlib/libz security problem in cvs?

From: Larry Jones
Subject: Re: zlib/libz security problem in cvs?
Date: Wed, 27 Mar 2002 11:32:20 -0500 (EST)

Adrian Pepper writes:
> I see older versions of cvs tended to come with their own source
> for a now-known-to-be-buggy version of zlib.  (i.e. a security
> risk).

The security risk with CVS is miniscule at most.  Even if you run
pserver as root, there's no access to zlib until after it drops root and
starts running as the user and there are lots of much easier exploits
that can be done at that point.

> Do newer versions (or perhaps even older versions) look for a
> common and/or shared zlib/libz ?

No, and I'm not proficient enough with autoconf and automake to make it
do so.  If anyone would like to contribute a patch, however....

> Does anyone know about the forward compatiblity of zlib/libz
> routines?  Would I be able to simply replace the use of
> ../zlib/libz.a with my own static or shared version and rebuild?
> Would I need to be careful to also use the zlib.h file corresponding to
> the newer one, or have all changes been internal and not to the
> external subroutine interface as used by cvs?  (This might help
> avoid me "changing versions of cvs mid-term").

Forward compatiblity isn't a problem, but you do need to ensure that you
use the header file that corresponds to the library.

-Larry Jones

Shut up and go get me some antiseptic. -- Calvin

reply via email to

[Prev in Thread] Current Thread [Next in Thread]