Hello!
On 2002-06-05 15:39:55, Lenny Miceli wrote:
> issue. Even though I didn't compile php with the --with-zlib option when I
> run strings against the php library I still see zlib information. For
Maybe zlib is used by another library which PHP uses (e.g. some
graphic library, MySQL, ...).
> So Zlib is still in the libphp4.a library. So does this mean that I could
> possibly still be vulnerable to the zlib Double Free Bug?
If you linked against a vulnerable zlib.
> Also, if I DO need to compile php with the --with-zlib option I assume
> I will also need to give it the --with-zlib-dir option. I assume if
It isn't needed, otherwise PHP tries to find zlib.
> that zlib install directory does NOT have the bug, then I would be safe
> from it. I'm asking since I know there's the ext/zlib directory under
> the php source directory (well at least php v4.0.6) and I'm not sure if
> the bug exists somewhere in those files.
The bug was in the zlib library, not in any file distributed with
PHP. If you link against a new zlib version you should be safe (if you
built PHP with a shared zlib library it's enough to update this
library, you don't have to rebuild PHP, but check with phpinfo() to
which version PHP is actually linked after the update).
You can use phpinfo() to see to which zlib version PHP is linked,
1.1.4 should be safe (but some systems use patched version of 1.1.3,
which are safe, but don't show a higher version number (bare 1.1.3 is
vulnerable)).
Stefan
--
Stefan Röhrich [EMAIL PROTECTED], [EMAIL PROTECTED]
http://www.roehri.ch/~sr/
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
