> I have used find-zlib perl script [2] (linked from the zlib homepage [3]) > to find out which programs use staticly linked zlib and got the > following output on "rpm" binary: But not all programs that make use of zlib are actually vulnerable in a useful way. zlib is only used in RPM for the payload which is only decompressed on package installation. Therefore as far as I can tell this could only be exploited if you are installing a trojan package. There are many easier ways for a trojan package to compromise your system. Cheers, Mark -- Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation mjc@redhat.com // T: +44 798 061 3110 / F: +44 845 333 9533
