[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Question about some CVE patches
From: |
Nicolas Vigier |
Subject: |
Question about some CVE patches |
Date: |
Sun, 7 Jul 2013 22:12:07 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hello,
While looking at the gzip package on Mageia, I noticed that it still
includes some patches for CVEs from 2006 or 2009 :
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.3.5-cve-2006-4335.patch?revision=389214&view=markup
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-CVE-2009-2624-1.diff?revision=389214&view=markup
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-cve-2006-4337.patch?revision=389214&view=markup
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-cve-2006-4337_len.patch?revision=389214&view=markup
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-cve-2006-4338.patch?revision=389214&view=markup
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.6-cve-2006-4336.patch?revision=450920&view=markup
I would expect those CVEs to be fixed in recent releases of gzip, so I'm
thinking about dropping the patches. The package did not have a
maintainer until recently, so it's possible the patches were just
forgotten and nobody bothered to check if they are still needed when
updating the package.
But before doing that, I checked the fedora package and noticed that it
includes patches for 3 of those CVEs :
http://pkgs.fedoraproject.org/cgit/gzip.git/tree/gzip-1.3.13-cve-2006-4337.patch
http://pkgs.fedoraproject.org/cgit/gzip.git/tree/gzip-1.3.5-cve-2006-4337_len.patch
http://pkgs.fedoraproject.org/cgit/gzip.git/tree/gzip-1.3.5-cve-2006-4338.patch
I also checked the packages on opensuse, debian, gentoo and archlinux,
and they don't include those patches.
Does anyone knows if those patches are still needed, or can be safely
dropped ?
Thanks,
Nicolas
- Question about some CVE patches,
Nicolas Vigier <=