Red Hat Bugzilla – Bug 61408
This is a bug in the "info" component but bugzilla doesn't offer "info"
Last modified: 2007-04-18 12:41:00 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020206 Description of problem: /sbin/install-info is linked statically against a vulnerable zlib Version-Release number of selected component (if applicable): info-4.0-5 How reproducible: Always Steps to Reproduce: 1. get the zlib-scanner from Florian Weimer 2. run it on /sbin/install-info 3. /tmp/scanner.pl /sbin/install-info /sbin/install-info: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler" /sbin/install-info: zlib cplens table, little endian /sbin/install-info: zlib cplext table (version 1.0.5 to 1.1.4) Actual Results: The linked zlib is vulnerable Additional info: Name : info Relocations: /usr Version : 4.0 Vendor: Red Hat, Inc. Release : 5 Build Date: Wed Feb 9 23:08:47 2000 Install date: Wed Nov 1 18:28:53 2000 Build Host: porky.devel.redhat.com Group : System Environment/Base Source RPM: texinfo-4.0-5.src.rpm Size : 243608 License: GPL Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Summary : A stand-alone TTY-based reader for GNU texinfo documentation. Description : The GNU project uses the texinfo file format for much of its documentation. The info package provides a standalone TTY-based browser program for viewing texinfo files.
Errors against info should be filed against "texinfo", which is the source rpm for the info rpm (and others). You can get that information with "rpm -qi info". Anyway, the install-info issue was investigated along with the others and found not to be an issue. If you install trojan packages, there are many other things to do than trip zlib :).