Security problem with zlib
David Shaw
dshaw at jabberwocky.com
Sat Jul 9 04:23:51 CEST 2005
On Fri, Jul 08, 2005 at 09:44:32AM +0200, Johan Wevers wrote:
> David Shaw wrote:
>
> >If you compile GnuPG on a system that has a zlib, the system zlib is
> >used. Your system zlib may or may not be vulnerable to the recent
> >problem. If your system zlib is vulnerable, then I strongly recommend
> >that you upgrade :)
>
> OK, so I assume GnuPG is exploitable with this bug. I assume it is only
> vulnerable when deliberately corrupt data is fed into it, like with a
> buffer overflow (I could not determine if the bug is a buffer overflow,
> although the description suggested it)?
Basically, yes. It's unclear if the bug is exploitable beyond
crashing the process that is using zlib, but the crash is certainly
possible.
Oddly, I haven't seen any mention of this on the zlib main web site -
just on bugtraq and the CVE site.
David
More information about the Gnupg-users
mailing list