Subject: Re: gzip issues
To: Toru TAKAMIZU <email@example.com>
From: David Porowski <firstname.lastname@example.org>
Date: 07/04/2003 11:39:14
greetings & salutations,
I could not locate these specific security issues you
have presented (below). AFAIK, the gzip package in
NetBSD 1.6 is 1.2.4, which does have security issues.
This was clipped directly from <http://www.gzip.org> ::
> Important security patch
> gzip 1.2.4 may crash when an input file name is too long (over 1020 characters). The buffer overflow may be exploited if gzip is
> run by a server such as an ftp server. Some ftp servers allow compression and decompression on the fly and are thus vulnerable.
> See technical details here. This patch to gzip 1.2.4 fixes the problem. The beta version 1.3.3 already includes a sufficient patch;
> use this version if you have to handle files larger than 2 GB. A new official version of gzip will be released soon.
The relevant CVE Ids: CVE-1999-1332, CAN-2003-0367
You could patch the current gzip, remove this package and rebuild
from source, or wait for the next major release of NetBSD (2.0).
I have not found an updated NetBSD package that addresses these
security issues, but it may be forthcoming. It may be waiting
for the new official version.
David Porowski <email@example.com>
Toru TAKAMIZU wrote:
> Anybody knows whether these issues matter to us or not?
> Please Cc: me because I'm not subscribed.