Re: fix for CVE-2010-0001, gzip-1.4 to be released shortly

bug-gzip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fix for CVE-2010-0001, gzip-1.4 to be released shortly

From:	Mike Frysinger
Subject:	Re: fix for CVE-2010-0001, gzip-1.4 to be released shortly
Date:	Sat, 30 Jan 2010 16:03:47 -0500
User-agent:	KMail/1.12.4 (Linux/2.6.32.6; KDE/4.3.4; x86_64; ; )

On Wednesday 20 January 2010 11:01:31 Jim Meyering wrote:
> Here's the patch for CVE-2010-0001,
> along with a test to exercise the offending code.
> 
> I expect to release gzip-1.4 within the next few hours.
> 
> From a3db5806d012082b9e25cc36d09f19cd736a468f Mon Sep 17 00:00:00 2001
> From: Jim Meyering <address@hidden>
> Date: Sun, 10 Jan 2010 17:13:01 +0100
> Subject: [PATCH 1/2] gzip -d: do not clobber stack for valid input on
>  x86_64
> 
> * unlzw.c (unlzw): Avoid integer overflow.
> Aki Helin reported the segfault along with an input to trigger the bug.

this code applies unchanged (not surprisingly) to the original lzw 
implementation.  but the redhat bug report says that the issue doesnt apply to 
the original ncompress (4.2.4) implementation ?

not sure if you want to just keep the inner details off of public lists ...
-mike

signature.asc
Description: This is a digitally signed message part.

[Prev in Thread]

Current Thread

[Next in Thread]

fix for CVE-2010-0001, gzip-1.4 to be released shortly, Jim Meyering, 2010/01/20
- Re: fix for CVE-2010-0001, gzip-1.4 to be released shortly, Mike Frysinger <=

Prev by Date: [PATCH] gzexe: fix exit status of signal handlers
Previous by thread: fix for CVE-2010-0001, gzip-1.4 to be released shortly
Next by thread: gzip-1.4 released [stable/security]
Index(es):
- Date
- Thread