[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE 2006 4334 taken care of in 1.3.7+ ?
From: |
Paul Eggert |
Subject: |
Re: CVE 2006 4334 taken care of in 1.3.7+ ? |
Date: |
Thu, 07 Dec 2006 09:47:44 -0800 |
User-agent: |
Gnus/5.1008 (Gnus v5.10.8) Emacs/21.4 (gnu/linux) |
Package: gzip
Version: 1.3.5-15
Mike Frysinger <address@hidden> writes about
<ftp://alpha.gnu.org/gnu/gzip/gzip-1.3.7.tar.gz>
as follows:
> the attached patch [mostly] applies to current CVS ... i'm not familiar with
> gzip/zlib code so better to let the experts decide if this issue has been
> fully accounted for :)
<http://www.debian.org/security/2006/dsa-1181> says that CVE-2006-4334
through -4338 have been fixed in Debian version 1.3.5-15. 1.3.5-15
patched unlzh.c and unpack.c in quite a different way than
1.3.5-10sarge2 (which was the patch you forwarded to me). I don't
know why two markedly different patches were applied, but I assume
that either set will do, and I took the 1.3.5-15 patches as being
simpler and easier to understand.
I will CC: this to the Debian bug list so that the issue can be
documented there. Is it intended that gzip 1.3.5-15 use quite a
different patch set than 1.3.5-10sarge2, and that either patch
fixes the security holes in question?