zoo contains exploitable buffer overflows
Nicolas Mailhot
nicolas.mailhot at laposte.net
Mon Feb 27 09:12:15 UTC 2006
Le Lun 27 février 2006 01:09, Josh Bressers a écrit :
>>
>> As the FE zoo maintainer I've applied the security patch suggested on=20
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D183109
> The issue seems to exist.
...
> This points out that zoo is a very poorly written program. Luckily with
> the new changes to gcc and glibc, these horrible stack buffer overflows
> are non issues.
>> If some people could review the alert and the patch I'd be grateful.
>> To my knowledge other distributions have not acted on the alert yet
>> (it's been published on many security lists in the last days).
>
> The patch attached to the mail (in bugzilla) looks pretty hokey.
...
> Fixing zoo is probably never going to happen, this is just one of the
> things that is horribly broken by design. From my quick look through the
> source, it's pretty bad. There are going to be countless similar problems
I mostly agree with all these assesments (that's one reason I started this
thread). I was never very confortable with zoo given it has no upstream
anymore, but since everyone seems to ship it anyway I figured someone must
have checked the code.
What is the general feeling on the list?
1. apply the patch (or a cleaner one if someone writes one - not me my C
is much too rusty) and trust other problems will be caught by glibc?
2. do not apply the patch, trust glibc to catch problems?
3. pull zoo from FE, instruct current users like amavisd-new to kill zoo
files on sight instead of trying to check them, make them conflict with
zoo to make sure it's removed from user systems?
4. a mix of all this, depending on the FE version?
Regards,
--
Nicolas Mailhot
More information about the Fedora-maintainers
mailing list