[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE 2006 4334 taken care of in 1.3.7+ ?

From: Paul Eggert
Subject: Re: CVE 2006 4334 taken care of in 1.3.7+ ?
Date: Thu, 07 Dec 2006 09:47:44 -0800
User-agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.4 (gnu/linux)

Package: gzip
Version: 1.3.5-15

Mike Frysinger <address@hidden> writes about
as follows:

> the attached patch [mostly] applies to current CVS ... i'm not familiar with 
> gzip/zlib code so better to let the experts decide if this issue has been 
> fully accounted for :)

<http://www.debian.org/security/2006/dsa-1181> says that CVE-2006-4334
through -4338 have been fixed in Debian version 1.3.5-15.  1.3.5-15
patched unlzh.c and unpack.c in quite a different way than
1.3.5-10sarge2 (which was the patch you forwarded to me).  I don't
know why two markedly different patches were applied, but I assume
that either set will do, and I took the 1.3.5-15 patches as being
simpler and easier to understand.

I will CC: this to the Debian bug list so that the issue can be
documented there.  Is it intended that gzip 1.3.5-15 use quite a
different patch set than 1.3.5-10sarge2, and that either patch
fixes the security holes in question?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]