Subject: Re: zlib vulnerability
To: Jonathan R. Hinds <>
From: Frank van der Linden <>
List: netbsd-users
Date: 03/12/2002 02:02:10
On Mon, Mar 11, 2002 at 12:36:02PM -0800, Jonathan R. Hinds wrote:
> Anything previous to 1.1.4 apears to be vulnerable.

The malloc implementation which is in NetBSD isn't very vulnerable
to a double free(). I believe that Free/Net/Open all use the same
one, which originally came from FreeBSD.

Probably because of this reason, OpenBSD declared itself 'not

I did upgrade the zlib in the NetBSD tree, though. It didn't have
many changes, I may ask for it to be pulled up into 1.5.3. But
to be short, generally the malloc in *BSD is not believed to
be vulnerable.

(for the kernel it isn't an issue, as libz is only linked to
bootblocks in situations that don't have 3rd party input)

- Frank

Frank van der Linden                 
Quality NetBSD CDs, Support & Service.