Hi,
PHP is as vulnerable as it is the libz of your system. PHP
does not include zlib, it links against it which means it has
already to be on your system. It is up to you to have the
proper libz on your system, PHP just links against it. That's
it.
- Markus
On Wed, Jun 05, 2002 at 03:39:55PM -0400, Lenny Miceli wrote :
> Sorry to post here but I've received no response on the php-general list. I
> posted the following to that list a couple days ago and I was wondering if
> anyone on this list can help me. Thank you for your time.....Lenny
>
> I've tried to search the archives/bug reports/faq's and didn't find any
> definitive answers on the zlib Double Free Bug CERT's Advisory CA-2002-07
> issue. Even though I didn't compile php with the --with-zlib option when I
> run strings against the php library I still see zlib information. For
> example:
>
> > strings libphp4.a | grep -i zlib
> Request error: class file/memory mismatch
> Zlib
>
> So Zlib is still in the libphp4.a library. So does this mean that I could
> possibly still be vulnerable to the zlib Double Free Bug?
>
> Also, if I DO need to compile php with the --with-zlib option I assume
> I will also need to give it the --with-zlib-dir option. I assume if
> that zlib install directory does NOT have the bug, then I would be safe
> from it. I'm asking since I know there's the ext/zlib directory under
> the php source directory (well at least php v4.0.6) and I'm not sure if
> the bug exists somewhere in those files.
>
> Thanks for any help you can give me on those 2 questions.
>
> Please mail me directly since I'm not on this list.
>
> Thanks for your time and help,
> Lenny Miceli
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
--
GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc
Did I help you? http://guru.josefine.at/wish_en
Konnte ich helfen? http://guru.josefine.at/wish_de
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
