Re: zlib vulnerability and modutils
Ville Herva (vherva@niksula.hut.fi)
Tue, 12 Mar 2002 11:48:45 +0200
On Tue, Mar 12, 2002 at 09:56:20AM +1100, you [Keith Owens] wrote:
> Content-Type: text/plain; charset=us-ascii
>
> A double free vulnerability has been found in zlib which can be used in
> a DoS or possibly in an exploit. Distributions are now shipping
> upgraded versions of zlib, installing the new version of zlib will fix
> programs that use the shared library.
>
> modutils has an option --enable-zlib which lets modprobe and insmod
> read modules that have been compressed with gzip. If you built your
> modutils with --enable-zlib and are using insmod.static then you must
> rebuild modutils after first upgrading zlib. This only applies if
> modutils was built with --enable-zlib (the default is not to use zlib)
> and you also use static versions of modutils.
I'm propably missing something, but if you load untrusted kernel modules
(compressed or not), isn't the zlib vulnerability least of your concerns?
-- v --
v@iki.fi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/