On Tuesday 12 March 2002 15:52, Steve Langasek wrote: > > Doesnt dpkg also compile with a static zlib? Why does it not make > > this list? > > What Internet-accessible port are you running dpkg on? :) > > dpkg doesn't normally run on a network port, so exploiting it doesn't > get you local access unless you already have it; and it's not suid, so > running it from commandline doesn't let you get root. Therefore, there > is no security hole opened by a vulnerability in dpkg.
I think this reasoning is flawed - a vulnerable zlib in dpkg would be exploited by a trojaned deb package that someone unwittingly downloads, and as dpkg tends to be run as root, that would buy the attacker root privilages. Admittedly, as things stand, a trojaned package could do many of those things with doctored install scripts anyway, but this vulnerability does matter if the package has to be uncompressed just to examine it. John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
