|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: gzip issues
From: David Porowski (dproski
erols.com)
Date: Fri Jul 04 2003 - 10:39:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
greetings & salutations,
I could not locate these specific security issues you
have presented (below). AFAIK, the gzip package in
NetBSD 1.6 is 1.2.4, which does have security issues.
This was clipped directly from <http://www.gzip.org> ::
> Important security patch
>
> gzip 1.2.4 may crash when an input file name is too long (over 1020 characters). The buffer overflow may be exploited if gzip is
> run by a server such as an ftp server. Some ftp servers allow compression and decompression on the fly and are thus vulnerable.
> See technical details here. This patch to gzip 1.2.4 fixes the problem. The beta version 1.3.3 already includes a sufficient patch;
> use this version if you have to handle files larger than 2 GB. A new official version of gzip will be released soon.
>
The relevant CVE Ids: CVE-1999-1332, CAN-2003-0367
You could patch the current gzip, remove this package and rebuild
from source, or wait for the next major release of NetBSD (2.0).
I have not found an updated NetBSD package that addresses these
security issues, but it may be forthcoming. It may be waiting
for the new official version.
David Porowski <dproskierols.com>
Toru TAKAMIZU wrote:
> Anybody knows whether these issues matter to us or not?
>
> http://www.securityfocus.com/bid/7845/
> http://www.securityfocus.com/bid/7872/
>
> Please Cc: me because I'm not subscribed.
>
> TIA,
> toru
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]