[Pkg-aide-maintainers] How does aide use zlib?

Marc Haber mh+aide-devel at zugschlus.de
Fri Mar 17 13:54:13 UTC 2006

Hi aide-devel,

On Thu, Mar 16, 2006 at 05:45:19PM +0100, Moritz Muehlenhoff wrote:
> Dear aide maintainers,
> I'm researching some older security issues. aide in Sarge links
> statically against zlib, in which several buffer overflows were
> fixed in DSA-740 and DSA-763.
> Can you tell me, in which ways aide uses zlib? If it operates on
> potentialy manipulated compressed data provided by external parties
> we might need to issue a DSA to recompile aide against the fixed
> zlib.

Moritz is member of the Debian security team. Debian sarge has aide

DSA-740 is CAN-2005-2096, DSA-763 is CAN-2005-1849. CAN-2005-2096 was
fixed in NMU with 0.10-6.2 in Sep 2005, but that version is not in

Afaik, aide only uses zlib to read and/or write the compressed
database. Usually, the data source is a local file which is only
writeable by root, but aide can pull the reference data from a web
server as well. I hope that upstream can comment on this, hence my
forwarding this message to aide-devel.

Do I see correctly that aide uses whatever zlib is present on the
build system at build time and statically links to that version?


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Pkg-aide-maintainers mailing list