[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#30040: Mageia patching gzip with old CVE's

From: Jim Meyering
Subject: bug#30040: Mageia patching gzip with old CVE's
Date: Wed, 10 Jan 2018 21:17:05 -0800

On Mon, Jan 8, 2018 at 11:01 PM, Stig-Ørjan Smelror <address@hidden> wrote:
> Hi everyone.
> I'm a packager padawan with Mageia and started working on packaging
> gzip-1.9 yesterday.
> When looking through the list of patches for gzip, I noticed quite a few
> CVE's lingering there and then looking through the code it "seemed to me"
> that these CVE's are not included.
> Then I thought, perhaps they've managed to fix these in other ways, but
> since I'm no programmer and not really sure, I wanted to ask you.
> Can you please take a look at the patches Mageia uses and let me know if
> they are necessary or needs to be rebased for gzip-1.9?
> http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/

The CVE-2006-???? bugs were all fixed in upstream commit
There is nothing of significance in the gzip-1.5-CVE-2009-2624-1.diff patch.
Thus, you may safely remove those .diff files.

Also, the zforce-related patch does this, which looks wrong:

- if gzip -lv < "$i" 2>/dev/null | grep '^defl' > /dev/null; then
+ if gzip -l < "$i" 2>/dev/null | grep '^compressed' > /dev/null; then

since that beginning-of-line-anchored regexp will never match gzip's -l output:

$ :|gzip|gzip -l
         compressed        uncompressed  ratio uncompressed_name
                 -1                  -1   0.0% stdout

I suggest you remove that patch, too.

Finally, gzip-1.3.3-window-size.patch does this to gzip.c:

-DECLARE(uch, window, 2L*WSIZE);
+DECLARE(uch, window, 2L*WSIZE + 4096);

Considering it was relative to 1.3.3, which is from over 15 years ago,
I suggest you discard it, too.

I'm marking this ticket as "done", but feel free to reply: any replies
still go to the list and the bug database.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]