Opened 11 years ago

Closed 11 years ago

#2193 closed bug (fixed)

Gzip needs 1.2.4b patch applied (easy one)

Reported by: scottmc Owned by: axeld
Priority: normal Milestone: R1
Component: Applications/Command Line Tools Version: R1/pre-alpha1
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

From http://www.gzip.org/ Important security patch gzip 1.2.4 may crash when an input file name is too long (over 1020 characters). The buffer overflow may be exploited if gzip is run by a server such as an ftp server. Some ftp servers allow compression and decompression on the fly and are thus vulnerable. See technical details here. This patch to gzip 1.2.4 fixes the problem. The beta version 1.3.3 already includes a sufficient patch; use this version if you have to handle files larger than 2 GB. A new official version of gzip will be released soon.

note that the last update to that page was July 27th, 2003, so probably not going to see a released 1.3.3 soon. I suggest we patch to 1.2.4b, here's the url to the patch file:

http://www.gzip.org/gzip-1.2.4b.patch

Change History (3)

comment:1 by scottmc, 11 years ago

Summary: Gzip needs 1.2.4b patch appliedGzip needs 1.2.4b patch applied (easy one)

Just need to apply the patch...

comment:2 by scottmc, 11 years ago

There is a 1.3.12 which is used by FreeBSD among others: http://ports.haiku-files.org/wiki/app-arch/gzip/1.3.12/1

comment:3 by korli, 11 years ago

Resolution: fixed
Status: newclosed

Applied in hrev27050.

Note: See TracTickets for help on using tickets.