Red Hat Bugzilla – Bug 61408
This is a bug in the "info" component but bugzilla doesn't offer "info"
Last modified: 2007-04-18 12:41:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020206
Description of problem:
/sbin/install-info is linked statically against a vulnerable zlib
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. get the zlib-scanner from Florian Weimer
2. run it on /sbin/install-info
3. /tmp/scanner.pl /sbin/install-info
/sbin/install-info: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler"
/sbin/install-info: zlib cplens table, little endian
/sbin/install-info: zlib cplext table (version 1.0.5 to 1.1.4)
Actual Results: The linked zlib is vulnerable
Name : info Relocations: /usr
Version : 4.0 Vendor: Red Hat, Inc.
Release : 5 Build Date: Wed Feb 9 23:08:47 2000
Install date: Wed Nov 1 18:28:53 2000 Build Host: porky.devel.redhat.com
Group : System Environment/Base Source RPM: texinfo-4.0-5.src.rpm
Size : 243608 License: GPL
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Summary : A stand-alone TTY-based reader for GNU texinfo documentation.
The GNU project uses the texinfo file format for much of its
documentation. The info package provides a standalone TTY-based
browser program for viewing texinfo files.
Errors against info should be filed against "texinfo", which is the source rpm
for the info rpm (and others). You can get that information with "rpm -qi info".
Anyway, the install-info issue was investigated along with the others and found
not to be an issue. If you install trojan packages, there are many other things
to do than trip zlib :).