Ticket #2193 (closed bug: fixed)

Opened 8 months ago

Last modified 5 months ago

Gzip needs 1.2.4b patch applied (easy one)

Reported by: scottmc Owned by: axeld
Priority: normal Milestone: R1
Component: Applications/Command Line Tools Version: R1 development
Cc: Blocked By:
Platform: All Blocking:

Description

From http://www.gzip.org/ Important security patch gzip 1.2.4 may crash when an input file name is too long (over 1020 characters). The buffer overflow may be exploited if gzip is run by a server such as an ftp server. Some ftp servers allow compression and decompression on the fly and are thus vulnerable. See technical details here. This patch to gzip 1.2.4 fixes the problem. The beta version 1.3.3 already includes a sufficient patch; use this version if you have to handle files larger than 2 GB. A new official version of gzip will be released soon.

note that the last update to that page was July 27th, 2003, so probably not going to see a released 1.3.3 soon. I suggest we patch to 1.2.4b, here's the url to the patch file:

http://www.gzip.org/gzip-1.2.4b.patch

Change History

Changed 5 months ago by scottmc

  • summary changed from Gzip needs 1.2.4b patch applied to Gzip needs 1.2.4b patch applied (easy one)

Just need to apply the patch...

Changed 5 months ago by scottmc

There is a 1.3.12 which is used by FreeBSD among others: http://ports.haiku-files.org/wiki/app-arch/gzip/1.3.12/1

Changed 5 months ago by korli

  • status changed from new to closed
  • resolution set to fixed

Applied in r27050.

Note: See TracTickets for help on using tickets.