Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Tue, 12 Mar 2002 04:49:25 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Tue, 12 Mar 2002 04:49:15 -0500 Received: from twilight.cs.hut.fi ([130.233.40.5]:53993 "EHLO twilight.cs.hut.fi") by vger.kernel.org with ESMTP id ; Tue, 12 Mar 2002 04:49:05 -0500 Date: Tue, 12 Mar 2002 11:48:45 +0200 From: Ville Herva To: Keith Owens Cc: linux-kernel@vger.kernel.org Subject: Re: zlib vulnerability and modutils Message-ID: <20020312094845.GE128921@niksula.cs.hut.fi> Mail-Followup-To: Ville Herva , Keith Owens , linux-kernel@vger.kernel.org In-Reply-To: <4394.1015887380@kao2.melbourne.sgi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4394.1015887380@kao2.melbourne.sgi.com> User-Agent: Mutt/1.3.25i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 12, 2002 at 09:56:20AM +1100, you [Keith Owens] wrote: > Content-Type: text/plain; charset=us-ascii > > A double free vulnerability has been found in zlib which can be used in > a DoS or possibly in an exploit. Distributions are now shipping > upgraded versions of zlib, installing the new version of zlib will fix > programs that use the shared library. > > modutils has an option --enable-zlib which lets modprobe and insmod > read modules that have been compressed with gzip. If you built your > modutils with --enable-zlib and are using insmod.static then you must > rebuild modutils after first upgrading zlib. This only applies if > modutils was built with --enable-zlib (the default is not to use zlib) > and you also use static versions of modutils. I'm propably missing something, but if you load untrusted kernel modules (compressed or not), isn't the zlib vulnerability least of your concerns? -- v -- v@iki.fi - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/