Question about some CVE patches

[Nicolas Vigier]

Hello,

While looking at the gzip package on Mageia, I noticed that it still
includes some patches for CVEs from 2006 or 2009 :

http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.3.5-cve-2006-4335.patch?revision=389214&view=markup
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-CVE-2009-2624-1.diff?revision=389214&view=markup
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-cve-2006-4337.patch?revision=389214&view=markup
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-cve-2006-4337_len.patch?revision=389214&view=markup
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-cve-2006-4338.patch?revision=389214&view=markup
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.6-cve-2006-4336.patch?revision=450920&view=markup

I would expect those CVEs to be fixed in recent releases of gzip, so I'm
thinking about dropping the patches. The package did not have a
maintainer until recently, so it's possible the patches were just
forgotten and nobody bothered to check if they are still needed when
updating the package.

But before doing that, I checked the fedora package and noticed that it
includes patches for 3 of those CVEs :
http://pkgs.fedoraproject.org/cgit/gzip.git/tree/gzip-1.3.13-cve-2006-4337.patch
http://pkgs.fedoraproject.org/cgit/gzip.git/tree/gzip-1.3.5-cve-2006-4337_len.patch
http://pkgs.fedoraproject.org/cgit/gzip.git/tree/gzip-1.3.5-cve-2006-4338.patch

I also checked the packages on opensuse, debian, gentoo and archlinux,
and they don't include those patches.

Does anyone knows if those patches are still needed, or can be safely
dropped ?

Thanks,
Nicolas