Bug 61406 - rsync links statically with zlib
Summary: rsync links statically with zlib
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rsync   
(Show other bugs)
Version: 6.2
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Aaron Brown
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-03-19 10:14 UTC by Henning Schmiedehausen
Modified: 2014-03-17 02:26 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-03-19 10:14:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Henning Schmiedehausen 2002-03-19 10:14:41 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020206

Description of problem:
The zlib-scanner from Florian Weimer shows

/tmp/scanner.pl /usr/bin/rsync 
/usr/bin/rsync: inflate version: "1.1.2 Copyright 1995-1998 Mark Adler"
/usr/bin/rsync: zlib cplens table, little endian
/usr/bin/rsync: zlib cplext table (version 1.0.5 to 1.1.4)

rpm -qf /usr/bin/rsync
rsync-2.4.6-3.6

which is the current release for RH 6.2

so this binary is vulnerable to the zlib problem 

Version-Release number of selected component (if applicable):
rsync-2.4.6-3.6


How reproducible:
Always

Steps to Reproduce:
1. get the zlib scanner
2. run it on /usr/bin/rsync
3.
	

Actual Results:  rsync is linked statically to zlib 

Expected Results:  should be linked to a non-vulnerable version 

Additional info:

Comment 1 Bill Nottingham 2002-03-19 15:59:44 UTC
Um, that's *why* rsync was part of the zlib errata. It contains the fix.

Comment 2 Bill Nottingham 2002-03-19 16:41:25 UTC
FWIW, rsync uses a specially modified version of zlib; that's why it doesn't
link against the system one.


Note You need to log in before you can comment on or make changes to this bug.