Fedora Legacy Test Update Notification: gzip

David Eisenstein deisenst at gtw.net
Tue Nov 7 03:50:51 UTC 2006 

with thanks to Ali Lomonaco and Michal Jaegermann for proposing packages!

--------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-211760
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211760
2006-11-06
---------------------------------------------------------------------

Name        : gzip
Versions    : fc3: gzip-1.3.3-16.1.fc3.legacy
Versions    : fc4: gzip-1.3.5-6.1.0.legacy
Summary     : The GNU data compression program.
Description :
The gzip package contains the popular GNU gzip data compression
program. Gzipped files have a .gz extension.

Gzip should be installed on your Red Hat Linux system, because it is a
very commonly used data compression program.


---------------------------------------------------------------------
Update Information:

Updated gzip packages that fix several security issues are now
available.

The gzip package contains the GNU gzip data compression program.

Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash. (CVE-2006-4334, CVE-2006-4338)

Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337)

Users of gzip should upgrade to these updated packages, which contain a
backported patch and is not vulnerable to these issues.

---------------------------------------------------------------------
Changelogs

fc3:
* Sat Nov  4 2006 David Eisenstein <deisenst at gtw.net> 1.3.3-16.1.fc3.legacy
- Add BuildRequires: texinfo, so gzip.info will be properly created.

* Sat Nov  4 2006 David Eisenstein <deisenst at gtw.net> 1.3.3-16.fc3.legacy
- Fedora Legacy bugzilla #211760, fixing the 5 cve's mentioned below.
- Patches taken from RHEL 4.

* Wed Sep  6 2006 Ivana Varekova <varekova at redhat.com> 1.3.3-16.rhel4
- fix bug 204676 (patches by Tavis Ormandy)
  - cve-2006-4334 - null dereference problem
  - cve-2006-4335 - buffer overflow problem
  - cve-2006-4336 - buffer underflow problem
  - cve-2006-4338 - infinite loop problem
  - cve-2006-4337 - buffer overflow problem

fc4:
* Tue Oct 31 2006 David Eisenstein - 1.3.5-6.1.0.legacy
- Rebuilt for FC4, reversioning so upgrade path will not be broken.

* Sun Oct 22 2006 Ali Lomonaco <alilomo at gmail.com> - 1.3.5-9
- rebuilt for Legacy Bugzilla #211760.
- fixes CVE-2006-{4334,4335,4336,4337,4338}.

* Sun Oct 01 2006 Jesse Keating <jkeating at redhat.com> - 1.3.5-9
- rebuilt for unwind info generation, broken in gcc-4.1.1-21

* Wed Sep 20 2006 Ivana Varekova <varekova at redhat.com> 1.3.5-8
- fix bug 204676 (patches by Tavis Ormandy)
  - cve-2006-4334 - null dereference problem
  - cve-2006-4335 - buffer overflow problem
  - cve-2006-4336 - buffer underflow problem
  - cve-2006-4338 - infinite loop problem
  - cve-2006-4337 - buffer overflow problem

* Fri Jul 14 2006 Karsten Hopp <karsten at redhat.de> 1.3.5-7
- buildrequire texinfo, otherwise gzip.info will be empty


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc3:
803cef0b8d4e06f79ae9ce64aee63cdd761e87b6  fedora/3/updates-testing/i386/gzip-1.3.3-16.1.fc3.legacy.i386.rpm
602ad6828a3388063db0c45f13c256d92b12cc51  fedora/3/updates-testing/x86_64/gzip-1.3.3-16.1.fc3.legacy.x86_64.rpm
7f4737f9e627480ee211022b9dffc1da5696adda  fedora/3/updates-testing/SRPMS/gzip-1.3.3-16.1.fc3.legacy.src.rpm

fc4:
1cf4530543c8f7da0d331f11388bb7517fa013e4  fedora/4/updates-testing/i386/gzip-1.3.5-6.1.0.legacy.i386.rpm
17fb012aacf13fcf623c5f6447d4ba127ed4a780  fedora/4/updates-testing/x86_64/gzip-1.3.5-6.1.0.legacy.x86_64.rpm
b49360a81b5d4df62dbbb3b2b094515678f41a35  fedora/4/updates-testing/SRPMS/gzip-1.3.5-6.1.0.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20061106/8ba7555a/attachment.sig>

More information about the fedora-legacy-list mailing list