[UPDATED] Fedora Legacy Test Update Notification: gzip

Marc Deslauriers marcdeslauriers at videotron.ca
Tue Jul 19 23:39:03 UTC 2005 

Packages were rebuilt to correct a missing texinfo BuildRequires.

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-157696
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157696
2005-07-19
---------------------------------------------------------------------

Name        : gzip
Versions    : rh73: gzip-1.3.3-1.2.legacy
Versions    : rh9: gzip-1.3.3-9.2.legacy
Versions    : fc1: gzip-1.3.3-11.2.legacy
Versions    : fc2: gzip-1.3.3-12.2.legacy
Summary     : The GNU data compression program.
Description :
The gzip package contains the popular GNU gzip data compression
program. Gzipped files have a .gz extension.

---------------------------------------------------------------------
Update Information:

An updated gzip package is now available.

The gzip package contains the GNU gzip data compression program.

A bug was found in the way zgrep processes file names. If a user can be
tricked into running zgrep on a file with a carefully crafted file name,
arbitrary commands could be executed as the user running zgrep. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0758 to this issue.

A bug was found in the way gunzip modifies permissions of files being
decompressed. A local attacker with write permissions in the directory
in which a victim is decompressing a file could remove the file being
written and replace it with a hard link to a different file owned by the
victim, gunzip then gives the linked file the permissions of the
uncompressed file. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0988 to this issue.

A directory traversal bug was found in the way gunzip processes the -N
flag. If a victim decompresses a file with the -N flag, gunzip fails to
sanitize the path which could result in a file owned by the victim being
overwritten. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-1228 to this issue.

Users of gzip should upgrade to this updated package, which contains
backported patches to correct these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Tue Jul 19 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.3.3-1.2.legacy
- Added missing texinfo to BuildRequires

* Wed Jul 13 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 1.3.3-1.1.legacy
- Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696)

rh9:
* Tue Jul 19 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.3.3-9.2.legacy
- Added missing texinfo BuildRequires

* Wed Jul 13 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 1.3.3-9.1.legacy
- Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696)

fc1:
* Tue Jul 19 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.3.3-11.2.legacy
- Added missing texinfo BuildRequires

* Wed Jul 13 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 1.3.3-11.1.legacy
- Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696)

fc2:
* Tue Jul 19 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.3.3-12.2.legacy
- Added missing texinfo BuildRequires

* Wed Jul 13 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 1.3.3-12.1.legacy
- Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
16a19e2142d83f1db86dbf5a9a5a0b4e35d50c92
redhat/7.3/updates-testing/i386/gzip-1.3.3-1.2.legacy.i386.rpm
98e5fcc727442dd531277cffc2771b7bc8d5f1f8
redhat/7.3/updates-testing/SRPMS/gzip-1.3.3-1.2.legacy.src.rpm

rh9:
7960019da89fbdee222e71b7d9884e6dc9ed3056
redhat/9/updates-testing/i386/gzip-1.3.3-9.2.legacy.i386.rpm
de3e4e8dd934c383feb2a464b522c4e62bdd3f6d
redhat/9/updates-testing/SRPMS/gzip-1.3.3-9.2.legacy.src.rpm

fc1:
b5cc020182af4b945a461c35e1adc3ddb15e953b
fedora/1/updates-testing/i386/gzip-1.3.3-11.2.legacy.i386.rpm
28c8700ac53cb6f8110c744ffc8456095cf9d051
fedora/1/updates-testing/SRPMS/gzip-1.3.3-11.2.legacy.src.rpm

fc2:
3d056ec2af5e344ef56e22049e5bd196f0c27180
fedora/2/updates-testing/i386/gzip-1.3.3-12.2.legacy.i386.rpm
f6b4d52075528761fd56e44c8227c45130f959b0
fedora/2/updates-testing/SRPMS/gzip-1.3.3-12.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050719/eef8bbf1/attachment.sig>

More information about the fedora-legacy-list mailing list