Re: zlib vulnerability and modutils

Ville Herva (vherva@niksula.hut.fi)
Tue, 12 Mar 2002 11:48:45 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Rusty Russell: "Re: [PATCH] Futexes IV (Fast Lightweight Userspace Semaphores)"
Previous message: Ville Herva: "Re: zlib vulnerability and modutils"

On Tue, Mar 12, 2002 at 09:56:20AM +1100, you [Keith Owens] wrote:
> Content-Type: text/plain; charset=us-ascii
>
> A double free vulnerability has been found in zlib which can be used in
> a DoS or possibly in an exploit. Distributions are now shipping
> upgraded versions of zlib, installing the new version of zlib will fix
> programs that use the shared library.
>
> modutils has an option --enable-zlib which lets modprobe and insmod
> read modules that have been compressed with gzip. If you built your
> modutils with --enable-zlib and are using insmod.static then you must
> rebuild modutils after first upgrading zlib. This only applies if
> modutils was built with --enable-zlib (the default is not to use zlib)
> and you also use static versions of modutils.

I'm propably missing something, but if you load untrusted kernel modules
(compressed or not), isn't the zlib vulnerability least of your concerns?

-- v --

v@iki.fi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rusty Russell: "Re: [PATCH] Futexes IV (Fast Lightweight Userspace Semaphores)"
Previous message: Ville Herva: "Re: zlib vulnerability and modutils"