Subject: Re: zlib vulnerability
To: Frank van der Linden <fvdl@wasabisystems.com>
From: Rick Kelly <rmk@toad.rmkhome.com>
List: netbsd-users
Date: 03/11/2002 19:09:03
Frank van der Linden said:

>The malloc implementation which is in NetBSD isn't very vulnerable
>to a double free(). I believe that Free/Net/Open all use the same
>one, which originally came from FreeBSD.

Cool.

>I did upgrade the zlib in the NetBSD tree, though. It didn't have
>many changes, I may ask for it to be pulled up into 1.5.3. But
>to be short, generally the malloc in *BSD is not believed to
>be vulnerable.

A pull up into 1.5.x would be greatly appreciated. :-)

>(for the kernel it isn't an issue, as libz is only linked to
>bootblocks in situations that don't have 3rd party input)

I have a few 1.4.x machines, How would I lower the risk there?

So it looks like Linux has two problems, zlib and a bad malloc.


-- 
Rick Kelly  rmk@rmkhome.com  www.rmkhome.com