gzip-1.3.5 vulnerabilities
Matthew Burgess
matthew at linuxfromscratch.org
Fri May 13 10:56:09 MDT 2005
Ken Moffat wrote:
> Thanks, Matt. But the first vulnerability is apparently only in 1.3.3
> and earlier (unless CVE are mistaken). The patch applies, and doesn't
> seem to deal with directory traversal, so I guess it's only
> CAN-2005-1228 that we should be concerned about.
Well, please don't shoot the messenger :)
All I did was download
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.diff.gz
and
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz.
I applied one patch to one clean untarred copy of gzip-1.3.5 and the
other patch to a separate copy of gzip-1.3.5. I then did a `diff' on
the two trees and the patch I posted was the result of that. Having
said that, the second hunk is the only thing that looks remotely like it
could deal with the traversal vulnerability. As for the accuracy or
otherwise of CVE's information, I'm not at all qualified to say :)
Best regards,
Matt.
More information about the lfs-security
mailing list