Subject: Re: gzip issues
To: Toru TAKAMIZU <firstname.lastname@example.org>
From: David Porowski <email@example.com>
Date: 07/04/2003 11:51:42
greetings & salutations, and apologies,
I mis-spoke in my previous email, as NetBSD fixed this
issue (refer to NetBSD SA-2002-02). The direct page is
As gzip 1.2.4 is rather "long-in-tooth" , I guess that this
issue has been covered (and fixed) quite some time ago.
David Porowski <firstname.lastname@example.org>
David Porowski wrote:
> greetings & salutations,
> I could not locate these specific security issues you
> have presented (below). AFAIK, the gzip package in
> NetBSD 1.6 is 1.2.4, which does have security issues.
> This was clipped directly from <http://www.gzip.org> ::
> > Important security patch
> > gzip 1.2.4 may crash when an input file name is too long (over 1020 characters). The buffer overflow may be exploited if gzip is
> > run by a server such as an ftp server. Some ftp servers allow compression and decompression on the fly and are thus vulnerable.
> > See technical details here. This patch to gzip 1.2.4 fixes the problem. The beta version 1.3.3 already includes a sufficient patch;
> > use this version if you have to handle files larger than 2 GB. A new official version of gzip will be released soon.
> The relevant CVE Ids: CVE-1999-1332, CAN-2003-0367
> You could patch the current gzip, remove this package and rebuild
> from source, or wait for the next major release of NetBSD (2.0).
> I have not found an updated NetBSD package that addresses these
> security issues, but it may be forthcoming. It may be waiting
> for the new official version.
> David Porowski <email@example.com>
> Toru TAKAMIZU wrote:
> > Anybody knows whether these issues matter to us or not?
> > http://www.securityfocus.com/bid/7845/
> > http://www.securityfocus.com/bid/7872/
> > Please Cc: me because I'm not subscribed.
> > TIA,
> > toru