NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Mandrake Linux> 2010-q1

[Security Announce] [ MDVSA-2010:020 ] gzip

securitymandriva.com
Date: Wed Jan 20 2010 - 12:58:01 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:020
http://www.mandriva.com/security/
_______________________________________________________________________

Package : gzip
Date : January 20, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in gzip:

A missing input sanitation flaw was found in the way gzip used to
decompress data blocks for dynamic Huffman codes. A remote attacker
could provide a specially-crafted gzip compressed data archive,
which once opened by a local, unsuspecting user would lead to denial
of service (gzip crash) or, potentially, to arbitrary code execution
with the privileges of the user running gzip (CVE-2009-2624).

An integer underflow leading to array index error was found in the
way gzip used to decompress files / archives, compressed with the
Lempel-Ziv-Welch (LZW) compression algorithm. A remote attacker could
provide a specially-crafted LZW compressed gzip archive, which once
decompressed by a local, unsuspecting user would lead to gzip crash,
or, potentially to arbitrary code execution with the privileges of
the user running gzip (CVE-2010-0001).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0001
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
dabd4f2eee5fe024b8abff6f95283fde 2008.0/i586/gzip-1.3.12-1.1mdv2008.0.i586.rpm
44e7e075b21c4469af04c156b3143c83 2008.0/SRPMS/gzip-1.3.12-1.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
492ff118f07d7d4ea7519858fbb39634 2008.0/x86_64/gzip-1.3.12-1.1mdv2008.0.x86_64.rpm
44e7e075b21c4469af04c156b3143c83 2008.0/SRPMS/gzip-1.3.12-1.1mdv2008.0.src.rpm

Mandriva Linux 2009.0:
2316dabaf600d2c3f2a2becd7b625bd9 2009.0/i586/gzip-1.3.12-3.1mdv2009.0.i586.rpm
3b13642c05f503ac5eeb3b48e72a7248 2009.0/SRPMS/gzip-1.3.12-3.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
d69acf358db53d589413529f4a2e11ef 2009.0/x86_64/gzip-1.3.12-3.1mdv2009.0.x86_64.rpm
3b13642c05f503ac5eeb3b48e72a7248 2009.0/SRPMS/gzip-1.3.12-3.1mdv2009.0.src.rpm

Mandriva Linux 2009.1:
118331d407ba6374babb123e42d27c6c 2009.1/i586/gzip-1.3.12-4.1mdv2009.1.i586.rpm
90296b7d943c1bab1059c672755c7a2c 2009.1/SRPMS/gzip-1.3.12-4.1mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
eb2c1700b911e636e337e79abe29492a 2009.1/x86_64/gzip-1.3.12-4.1mdv2009.1.x86_64.rpm
90296b7d943c1bab1059c672755c7a2c 2009.1/SRPMS/gzip-1.3.12-4.1mdv2009.1.src.rpm

Mandriva Linux 2010.0:
79785f802e7b2f20135620402df74049 2010.0/i586/gzip-1.3.12-5.1mdv2010.0.i586.rpm
b99ae7c0775bb9211358510a82ae937a 2010.0/SRPMS/gzip-1.3.12-5.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
e003e931a59003585d2600a1f8d375af 2010.0/x86_64/gzip-1.3.12-5.1mdv2010.0.x86_64.rpm
b99ae7c0775bb9211358510a82ae937a 2010.0/SRPMS/gzip-1.3.12-5.1mdv2010.0.src.rpm

Mandriva Enterprise Server 5:
2d6036ae10a136c5c41f392fb06b5e45 mes5/i586/gzip-1.3.12-3.1mdvmes5.i586.rpm
1feef136de6074266b2f555795bdd0d8 mes5/SRPMS/gzip-1.3.12-3.1mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
48a5404ebcc58e4de6a134ea5ee62113 mes5/x86_64/gzip-1.3.12-3.1mdvmes5.x86_64.rpm
1feef136de6074266b2f555795bdd0d8 mes5/SRPMS/gzip-1.3.12-3.1mdvmes5.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLVz7OmqjQ0CJFipgRAo++AJ0VcK+UFrVtJLCkyZSeYoh8ok8APQCePYJf
COmPsWilcFGzmoEh6TC/qEQ=
=tUU5
-----END PGP SIGNATURE-----

------------=_1264014062-24326-3684
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympamandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1264014062-24326-3684--

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]