Mailinglist Archive: opensuse-security (616 mails)
| < Previous | Next > |
Re: [suse-security] SuSE Security Announcement: packages containing libz/zlib (SuSE-SA:2002:011) (tandem-announcement, second part)
- From: Roman Drahtmueller <draht@xxxxxxx>
- Date: Wed, 13 Mar 2002 19:49:51 +0100 (MET)
- Message-id: <Pine.LNX.4.44.0203131945550.17945-100000@xxxxxxxxxxxx>
> > 2) packages that contain the compression library in their own
> > source distribution. These packages need an individual bugfix.
> > We have prepared update packages for this software that can be
> > downloaded from the locations as shown below.
>
> Shouldn't these packages rather be modified to use the system library
> rather then fixing them all individually? I know, this is beyond the
> scope of a security bugfix as the latter shouldn't contain feature
> changes and this can oft not be done as quickly as needed. But i
> think, a package bringing a library on its own, when decent system
> libraries are available, this is a quite stupid idea and it is also a
> security issue, as we can see with this announcement.
Your approach is obviously correct, and in some cases we even proceed that
way. (Since libz is used by so many packages, we began to wonder why some
packages still bring their own. Seems like it's "en vogue" to do so...)
In some cases though you might not want to mess up because the authors
modified the code for optimizations and other adaptions. Prominent
example: rsync.
> Rolf Krahl <rolf.krahl@xxxxxxx>
Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
> > source distribution. These packages need an individual bugfix.
> > We have prepared update packages for this software that can be
> > downloaded from the locations as shown below.
>
> Shouldn't these packages rather be modified to use the system library
> rather then fixing them all individually? I know, this is beyond the
> scope of a security bugfix as the latter shouldn't contain feature
> changes and this can oft not be done as quickly as needed. But i
> think, a package bringing a library on its own, when decent system
> libraries are available, this is a quite stupid idea and it is also a
> security issue, as we can see with this announcement.
Your approach is obviously correct, and in some cases we even proceed that
way. (Since libz is used by so many packages, we began to wonder why some
packages still bring their own. Seems like it's "en vogue" to do so...)
In some cases though you might not want to mess up because the authors
modified the code for optimizations and other adaptions. Prominent
example: rsync.
> Rolf Krahl <rolf.krahl@xxxxxxx>
Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
| < Previous | Next > |