Fedora Legacy Test Update Notification: gzip

Marc Deslauriers marcdeslauriers at videotron.ca
Mon Jul 18 21:00:01 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-157696
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157696
2005-07-18
---------------------------------------------------------------------

Name        : gzip
Versions    : rh73: gzip-1.3.3-1.1.legacy
Versions    : rh9: gzip-1.3.3-9.1.legacy
Versions    : fc1: gzip-1.3.3-11.1.legacy
Versions    : fc2: gzip-1.3.3-12.1.legacy
Summary     : The GNU data compression program.
Description :
The gzip package contains the popular GNU gzip data compression
program. Gzipped files have a .gz extension.

---------------------------------------------------------------------
Update Information:

An updated gzip package is now available.

The gzip package contains the GNU gzip data compression program.

A bug was found in the way zgrep processes file names. If a user can be
tricked into running zgrep on a file with a carefully crafted file name,
arbitrary commands could be executed as the user running zgrep. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0758 to this issue.

A bug was found in the way gunzip modifies permissions of files being
decompressed. A local attacker with write permissions in the directory
in which a victim is decompressing a file could remove the file being
written and replace it with a hard link to a different file owned by the
victim, gunzip then gives the linked file the permissions of the
uncompressed file. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0988 to this issue.

A directory traversal bug was found in the way gunzip processes the -N
flag. If a victim decompresses a file with the -N flag, gunzip fails to
sanitize the path which could result in a file owned by the victim being
overwritten. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-1228 to this issue.

Users of gzip should upgrade to this updated package, which contains
backported patches to correct these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Wed Jul 13 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 1.3.3-1.1.legacy
- Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696)

rh9:
* Wed Jul 13 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 1.3.3-9.1.legacy
- Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696)

fc1:
* Wed Jul 13 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 1.3.3-11.1.legacy
- Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696)

fc2:
* Wed Jul 13 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 1.3.3-12.1.legacy
- Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
6d93fc47e14ad87b869a26824a53c7c4c86efd8d
redhat/7.3/updates-testing/i386/gzip-1.3.3-1.1.legacy.i386.rpm
acb874d06480862be1f866bb2e7cb334f68ffd70
redhat/7.3/updates-testing/SRPMS/gzip-1.3.3-1.1.legacy.src.rpm

rh9:
e502c04eba525ffc028597d89a561234a5e4677a
redhat/9/updates-testing/i386/gzip-1.3.3-9.1.legacy.i386.rpm
87df69eab2730b360ab121c9cf0ff6884a086252
redhat/9/updates-testing/SRPMS/gzip-1.3.3-9.1.legacy.src.rpm

fc1:
7a915440462673b34c4c24cb91224d80c353beb1
fedora/1/updates-testing/i386/gzip-1.3.3-11.1.legacy.i386.rpm
59ee2ba2d0e7f70829fa303e68dc5d8589505a18
fedora/1/updates-testing/SRPMS/gzip-1.3.3-11.1.legacy.src.rpm

fc2:
b57fccc4cba1717fd9114ea5d628d6fd704538b9
fedora/2/updates-testing/i386/gzip-1.3.3-12.1.legacy.i386.rpm
ecfe9ca29f8d3ba6aa2f9b8aad10a923d1179360
fedora/2/updates-testing/SRPMS/gzip-1.3.3-12.1.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050718/309178ac/attachment.sig>

More information about the fedora-legacy-list mailing list