[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] zlib security problem (question)
- Subject: [ale] zlib security problem (question)
- From: jenn at colormaria.com (jenn at colormaria.com)
- Date: Mon, 11 Mar 2002 16:53:46 -0500 (EST)
Re-reading the advisory, I understand how this could affect my workstation
because I routinely hit potentially untrusted sites with my browser and
expect that all is well.
How would a remote attacker exploit a buffer overflow of this nature on a
server? My servers don't run X or mozilla, and as far as I know, exist only
to serve requests from untrusted sources, not recieve information other than
whatever is in the request. Can a malicious packet take advantage of this
bug, potentially? I realise there are no published exploits for this yet,
I'm asking more about the theory behind such an attack rather than specifics
on this particular bug.
> From slashdot come distressing news:
> "CNET is reporting that there is a buffer overflow problem with zlib
> in linux, which is used for network compression. Supposedly, someone
> could remotely cause a buffer overflow through mozilla, X11 and many
> other programs." The advisory from Red Hat is available.
> http://www.linuxsecurity.com/advisories/redhat_advisory-1963.html has
> the advisory and links to the update packages for RedHat. I'm not sure
> if this is RedHat specific (I don't think so), but the security
> implications of hitting a crafted png image on a website and having a
> backdoor inserted is very unnerving.
> James P. Kinney III \Changing the mobile computing world/
> President and COO \ one Linux user /
> Local Net Solutions,LLC \ at a time. /
> 770-493-8244 \.___________________________./
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.