[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fix for CVE-2010-0001, gzip-1.4 to be released shortly
From: |
Mike Frysinger |
Subject: |
Re: fix for CVE-2010-0001, gzip-1.4 to be released shortly |
Date: |
Sat, 30 Jan 2010 16:03:47 -0500 |
User-agent: |
KMail/1.12.4 (Linux/2.6.32.6; KDE/4.3.4; x86_64; ; ) |
On Wednesday 20 January 2010 11:01:31 Jim Meyering wrote:
> Here's the patch for CVE-2010-0001,
> along with a test to exercise the offending code.
>
> I expect to release gzip-1.4 within the next few hours.
>
> From a3db5806d012082b9e25cc36d09f19cd736a468f Mon Sep 17 00:00:00 2001
> From: Jim Meyering <address@hidden>
> Date: Sun, 10 Jan 2010 17:13:01 +0100
> Subject: [PATCH 1/2] gzip -d: do not clobber stack for valid input on
> x86_64
>
> * unlzw.c (unlzw): Avoid integer overflow.
> Aki Helin reported the segfault along with an input to trigger the bug.
this code applies unchanged (not surprisingly) to the original lzw
implementation. but the redhat bug report says that the issue doesnt apply to
the original ncompress (4.2.4) implementation ?
not sure if you want to just keep the inner details off of public lists ...
-mike
signature.asc
Description: This is a digitally signed message part.