Re: CVE 2006 4334 taken care of in 1.3.7+ ?

bug-gzip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE 2006 4334 taken care of in 1.3.7+ ?

From:	Paul Eggert
Subject:	Re: CVE 2006 4334 taken care of in 1.3.7+ ?
Date:	Thu, 07 Dec 2006 09:47:44 -0800
User-agent:	Gnus/5.1008 (Gnus v5.10.8) Emacs/21.4 (gnu/linux)

Package: gzip
Version: 1.3.5-15

Mike Frysinger <address@hidden> writes about
<ftp://alpha.gnu.org/gnu/gzip/gzip-1.3.7.tar.gz>
as follows:

> the attached patch [mostly] applies to current CVS ... i'm not familiar with 
> gzip/zlib code so better to let the experts decide if this issue has been 
> fully accounted for :)

<http://www.debian.org/security/2006/dsa-1181> says that CVE-2006-4334
through -4338 have been fixed in Debian version 1.3.5-15.  1.3.5-15
patched unlzh.c and unpack.c in quite a different way than
1.3.5-10sarge2 (which was the patch you forwarded to me).  I don't
know why two markedly different patches were applied, but I assume
that either set will do, and I took the 1.3.5-15 patches as being
simpler and easier to understand.

I will CC: this to the Debian bug list so that the issue can be
documented there.  Is it intended that gzip 1.3.5-15 use quite a
different patch set than 1.3.5-10sarge2, and that either patch
fixes the security holes in question?

[Prev in Thread]

Current Thread

[Next in Thread]

CVE 2006 4334 taken care of in 1.3.7+ ?, Mike Frysinger, 2006/12/07
- Re: CVE 2006 4334 taken care of in 1.3.7+ ?, Paul Eggert <=
  - Re: Bug#402042: CVE 2006 4334 taken care of in 1.3.7+ ?, Bdale Garbee, 2006/12/09

Prev by Date: gzip-1.3.6 compilation failure on MacOS X
Next by Date: Re: [patch] fix segfault encountered while compressing xorg fonts
Previous by thread: CVE 2006 4334 taken care of in 1.3.7+ ?
Next by thread: Re: Bug#402042: CVE 2006 4334 taken care of in 1.3.7+ ?
Index(es):
- Date
- Thread