risk
Andy Green
andy at warmcat.com
Wed Jul 13 18:47:31 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike McCarty wrote:
| a little more intelligible. What is a poinsonous .png? I'm using the
latest
| FC2. How can I tell whether I have updated my libz? I used uptodate
| up to the point where FC2 was no longer being updated.
You are out of security updates altogether by the sound of it. So the
real simple version is that since your last update, one or more ways to
hack the versions of code you are running has been found.
Just recently a flaw was found in a compression library:
http://www.eweek.com/article2/0,1759,1834632,00.asp?kc=EWRSS03119TX1K0000594
Many programs use a dangerous version of the compression library,
including the code to interpret png files which in turn is used by many
other programs. All of these apps are theoretically vulnerable to a
buffer overflow exploit delivered in a faked up png file. So if you
browse the wrong site and get given the evil image file, or you show
(evil) images sent to you in an email, you are hacked. This is
commonplace in the Windows world and quite possible in the Linux world
too (although Fedora's early use of selinux, execshield, NX, etc try to
make this less simple).
You should look into the Fedora Legacy project and update via yum from
there until you upgrade to something with direct security updates:
http://www.fedoralegacy.org/
|> "Mozilla" is a giant teetering edifice of everchanging code that you
|
| Oh, come now. If you take that attitude, then Linux and the FSF code
Any code could link to zlib and be vulnerable... the flaw doesn't have
to be directly in the application for the application to be vulnerable
via a broken library. Any of it can link to other libraries with as yet
undiscovered buffer overflows and be vulnerable. And the point is you
don't know, as a user, what uses the bad zlib and what doesn't. Even
when you update the bad library, which should fix all apps that use the
library, you still don't know for sure if other stuff has the bad
version directly compiled in as part of the app itself.
- -Andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFC1WHCjKeDCxMJCTIRAopZAKCWAVhaTVXIOFszx0zfCUj0OTjRggCeOK55
hW+IoRdyT/xsUsOufQ+zJoc=
=Rd/+
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list