Anthony, Good point. Apple has not changed its mind, and we've not contacted them. The reasoning for including it is that VNC Thing is statically linked against zlib 1.1.3, thus potentially leading to a local viewer crash given the circumstances noted in our advisory - including the caveat that the malloc/free behavior has to be faulty as well, which may or may not be true. Apple's statement is: "Mac OS X and Mac OS X Server do not contain this vulnerability." Does MacOS X and MacOS X Server even have a copy of zlib (ie libz.so) by default? Or is down to the FreeBSD malloc / free behavior of MacOS X? Hard to say - not a lot of information to go on. VNC Thing is being updated, if you're concerned and want to upgrade, great. Otherwise, in a very narrow set of circumstances, it *may* be possible to cause the VNC Thing viewer to crash as older versions *do* have a copy of the faulty zlib library. Andrew -----Original Message----- From: Anthony DeRobertis [mailto:asd@suespammers.org] Sent: Friday, 5 April 2002 5:58 PM To: Andrew van der Stock Cc: bugtraq@securityfocus.com Subject: Re: VNC Security Bulletin - zlib double free issue (multiple vendors and versions) On Tuesday, April 2, 2002, at 08:17 PM, Andrew van der Stock wrote: > * VNCThing prior to version 2.3 for Mac OS 8/9/X > Apple has stated that the zlib vulnerabilities do not apply to Mac OS X (see the vendor responses to the original CERT notice, for example). Is VNCThing for Mac OS X an exception? Or has Apple changed its mind.
