RE: VNC Security Bulletin - zlib double free issue (multiple vendors and versions)

["Andrew van der Stock" <ajv () greebo net>]

Anthony,

Good point. 

Apple has not changed its mind, and we've not contacted them. The
reasoning for including it is that VNC Thing is statically linked
against zlib 1.1.3, thus potentially leading to a local viewer crash
given the circumstances noted in our advisory - including the caveat
that the malloc/free behavior has to be faulty as well, which may or may
not be true. 

Apple's statement is: "Mac OS X and Mac OS X Server do not contain this
vulnerability." Does MacOS X and MacOS X Server even have a copy of zlib
(ie libz.so) by default? Or is down to the FreeBSD malloc / free
behavior of MacOS X? Hard to say - not a lot of information to go on. 

VNC Thing is being updated, if you're concerned and want to upgrade,
great. Otherwise, in a very narrow set of circumstances, it *may* be
possible to cause the VNC Thing viewer to crash as older versions *do*
have a copy of the faulty zlib library. 

Andrew

-----Original Message-----
From: Anthony DeRobertis [mailto:asd () suespammers org] 
Sent: Friday, 5 April 2002 5:58 PM
To: Andrew van der Stock
Cc: bugtraq () securityfocus com
Subject: Re: VNC Security Bulletin - zlib double free issue (multiple
vendors and versions)


On Tuesday, April 2, 2002, at 08:17 PM, Andrew van der Stock wrote:

> * VNCThing prior to version 2.3 for Mac OS 8/9/X
Apple has stated that the zlib vulnerabilities do not apply to 
Mac OS X (see the vendor responses to the original CERT notice, 
for example). Is VNCThing for Mac OS X an exception? Or has 
Apple changed its mind.