[Pkg-aide-maintainers] How does aide use zlib?
Marc Haber
mh+aide-devel at zugschlus.de
Fri Mar 17 13:54:13 UTC 2006
Hi aide-devel,
On Thu, Mar 16, 2006 at 05:45:19PM +0100, Moritz Muehlenhoff wrote:
> Dear aide maintainers,
> I'm researching some older security issues. aide in Sarge links
> statically against zlib, in which several buffer overflows were
> fixed in DSA-740 and DSA-763.
> Can you tell me, in which ways aide uses zlib? If it operates on
> potentialy manipulated compressed data provided by external parties
> we might need to issue a DSA to recompile aide against the fixed
> zlib.
Moritz is member of the Debian security team. Debian sarge has aide
0.10-6.1.
DSA-740 is CAN-2005-2096, DSA-763 is CAN-2005-1849. CAN-2005-2096 was
fixed in NMU with 0.10-6.2 in Sep 2005, but that version is not in
sarge.
Afaik, aide only uses zlib to read and/or write the compressed
database. Usually, the data source is a local file which is only
writeable by root, but aide can pull the reference data from a web
server as well. I hope that upstream can comment on this, hence my
forwarding this message to aide-devel.
Do I see correctly that aide uses whatever zlib is present on the
build system at build time and statically links to that version?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Pkg-aide-maintainers
mailing list