Security problem with zlib

Ronald J. Burk rhodes69 at cotse.net
Sat Jul 9 04:45:23 CEST 2005


> On Fri, Jul 08, 2005 at 09:44:32AM +0200, Johan Wevers wrote:
>> David Shaw wrote:
>>
>> >If you compile GnuPG on a system that has a zlib, the system zlib is
>> >used.  Your system zlib may or may not be vulnerable to the recent
>> >problem.  If your system zlib is vulnerable, then I strongly recommend
>> >that you upgrade :)
>>
>> OK, so I assume GnuPG is exploitable with this bug. I assume it is only
>> vulnerable when deliberately corrupt data is fed into it, like with a
>> buffer overflow (I could not determine if the bug is a buffer overflow,
>> although the description suggested it)?
>
> Basically, yes.  It's unclear if the bug is exploitable beyond
> crashing the process that is using zlib, but the crash is certainly
> possible.
>
> Oddly, I haven't seen any mention of this on the zlib main web site -
> just on bugtraq and the CVE site.
>
> David

Interestingly, Fedora Core4  (And I assume other Linux distros) just rec'd
an upgrade patch today for zlib.  I guess this is for the bug.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>




More information about the Gnupg-users mailing list