greetings & salutations, and apologies,

I mis-spoke in my previous email, as NetBSD fixed this
issue (refer to NetBSD SA-2002-02).  The direct page is
<ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002-002.txt.asc>

As gzip 1.2.4 is rather "long-in-tooth" , I guess that this
issue has been covered (and fixed) quite some time ago.
mea culpa.

David Porowski    <dproski@erols.com>


David Porowski wrote:

> greetings & salutations,
>
> I could not locate these specific security issues you
> have presented (below).  AFAIK, the gzip package in
> NetBSD 1.6 is 1.2.4, which does have security issues.
> This was clipped directly from <http://www.gzip.org> ::
>
> > Important security patch
> >
> > gzip 1.2.4 may crash when an input file name is too long (over 1020 characters). The buffer overflow may be exploited if gzip is
> > run by a server such as an ftp server. Some ftp servers allow compression and decompression on the fly and are thus vulnerable.
> > See technical details here. This patch to gzip 1.2.4 fixes the problem. The beta version 1.3.3 already includes a sufficient patch;
> > use this version if you have to handle files larger than 2 GB. A new official version of gzip will be released soon.
> >
>
> The relevant CVE Ids:  CVE-1999-1332, CAN-2003-0367
>
> You could patch the current gzip, remove this package and rebuild
> from source, or wait for the next major release of NetBSD (2.0).
> I have not found an updated NetBSD package that addresses these
> security issues, but it may be forthcoming.  It may be waiting
> for the new official version.
>
> David Porowski    <dproski@erols.com>
>
> Toru TAKAMIZU wrote:
>
> > Anybody knows whether these issues matter to us or not?
> >
> > http://www.securityfocus.com/bid/7845/
> > http://www.securityfocus.com/bid/7872/
> >
> > Please Cc: me because I'm not subscribed.
> >
> > TIA,
> > toru