Subject: Re: gzip issues
To: Toru TAKAMIZU <ttaka@earth.email.ne.jp>
From: David Porowski <dproski@erols.com>
List: current-users
Date: 07/04/2003 11:39:14
greetings & salutations,

I could not locate these specific security issues you
have presented (below).  AFAIK, the gzip package in
NetBSD 1.6 is 1.2.4, which does have security issues.
This was clipped directly from <http://www.gzip.org> ::


> Important security patch
>
> gzip 1.2.4 may crash when an input file name is too long (over 1020 characters). The buffer overflow may be exploited if gzip is
> run by a server such as an ftp server. Some ftp servers allow compression and decompression on the fly and are thus vulnerable.
> See technical details here. This patch to gzip 1.2.4 fixes the problem. The beta version 1.3.3 already includes a sufficient patch;
> use this version if you have to handle files larger than 2 GB. A new official version of gzip will be released soon.
>

The relevant CVE Ids:  CVE-1999-1332, CAN-2003-0367

You could patch the current gzip, remove this package and rebuild
from source, or wait for the next major release of NetBSD (2.0).
I have not found an updated NetBSD package that addresses these
security issues, but it may be forthcoming.  It may be waiting
for the new official version.

David Porowski    <dproski@erols.com>


Toru TAKAMIZU wrote:

> Anybody knows whether these issues matter to us or not?
>
> http://www.securityfocus.com/bid/7845/
> http://www.securityfocus.com/bid/7872/
>
> Please Cc: me because I'm not subscribed.
>
> TIA,
> toru