Subject: Re: zlib vulnerability
To: Frank van der Linden <fvdl@wasabisystems.com>
From: Rick Kelly <rmk@toad.rmkhome.com>
List: netbsd-users
Date: 03/11/2002 19:09:03
Frank van der Linden said:
>The malloc implementation which is in NetBSD isn't very vulnerable
>to a double free(). I believe that Free/Net/Open all use the same
>one, which originally came from FreeBSD.
Cool.
>I did upgrade the zlib in the NetBSD tree, though. It didn't have
>many changes, I may ask for it to be pulled up into 1.5.3. But
>to be short, generally the malloc in *BSD is not believed to
>be vulnerable.
A pull up into 1.5.x would be greatly appreciated. :-)
>(for the kernel it isn't an issue, as libz is only linked to
>bootblocks in situations that don't have 3rd party input)
I have a few 1.4.x machines, How would I lower the risk there?
So it looks like Linux has two problems, zlib and a bad malloc.
--
Rick Kelly rmk@rmkhome.com www.rmkhome.com