rpms/gzip
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- fix bug 204676 (patches by Tavis Ormandy)

Browse Source
This commit is contained in:
Ivana Varekova 2006-09-20 10:52:34 +00:00
parent bddd3b8a0e
commit 82ec7c018b
4 changed files with 83 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
gzip-1.3.5-cve-2006-4335.patch Normal file
View File

@ -0,0 +1,15 @@
--- gzip-1.3.3/unlzh.c.4335 1999-10-06 07:00:00.000000000 +0200
+++ gzip-1.3.3/unlzh.c 2006-09-07 09:41:41.000000000 +0200
@@ -149,7 +149,11 @@
unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
for (i = 1; i <= 16; i++) count[i] = 0;
- for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
+ for (i = 0; i < (unsigned)nchar; i++) {
+ if (bitlen[i] > 16)
+ error("Bad table (case a)\n");
+ else count[bitlen[i]]++;
+ }
start[1] = 0;
for (i = 1; i <= 16; i++)

20
gzip-1.3.5-cve-2006-4336.patch Normal file
View File

@ -0,0 +1,20 @@
--- gzip-1.3.3/unpack.c.4336 1999-10-06 07:00:00.000000000 +0200
+++ gzip-1.3.3/unpack.c 2006-09-07 10:49:08.000000000 +0200
@@ -133,7 +133,7 @@
/* Remember where the literals of this length start in literal[] : */
lit_base[len] = base;
/* And read the literals: */
- for (n = leaves[len]; n > 0; n--) {
+ for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
literal[base++] = (uch)get_byte();
}
}
@@ -169,7 +169,7 @@
prefixp = &prefix_len[1<<peek_bits];
for (len = 1; len <= peek_bits; len++) {
int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
- while (prefixes--) *--prefixp = (uch)len;
+ while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
}
/* The length of all other codes is unknown: */
while (prefixp > prefix_len) *--prefixp = 0;

29
gzip-1.3.5-cve-2006-4338.patch Normal file
View File

@ -0,0 +1,29 @@
--- gzip-1.3.3/unlzh.c.4338 2006-09-07 10:49:31.000000000 +0200
+++ gzip-1.3.3/unlzh.c 2006-09-07 11:37:53.000000000 +0200
@@ -260,7 +260,7 @@
if (bitbuf & mask) c = right[c];
else c = left [c];
mask >>= 1;
- } while (c >= NT);
+ } while (c >= NT && (mask || c != left[c]));
}
fillbuf((int) pt_len[c]);
if (c <= 2) {
@@ -296,7 +296,7 @@
if (bitbuf & mask) j = right[j];
else j = left [j];
mask >>= 1;
- } while (j >= NC);
+ } while (j >= NC && (mask || j != left[j]));
}
fillbuf((int) c_len[j]);
return j;
@@ -313,7 +313,7 @@
if (bitbuf & mask) j = right[j];
else j = left [j];
mask >>= 1;
- } while (j >= NP);
+ } while (j >= NP && (mask || j != left[j]));
}
fillbuf((int) pt_len[j]);
if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));

20
gzip.spec
View File

@ -1,7 +1,7 @@
Summary: The GNU data compression program.
Name: gzip
Version: 1.3.5
Release: 7
Release: 8
License: GPL
Group: Applications/File
Source: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz
@ -15,6 +15,11 @@ Patch7: gzip-1.3.3-addsuffix.patch
Patch8: gzip-1.3.5-zgrep-sed.patch
Patch9: gzip-1.3.5-gzip-perm.patch
Patch10: gzip-1.3.5-gunzip-dir.patch
Patch11: gzip-1.3.5-cve-2006-4334.patch
Patch12: gzip-1.3.5-cve-2006-4335.patch
Patch13: gzip-1.3.5-cve-2006-4336.patch
Patch14: gzip-1.3.5-cve-2006-4338.patch
Patch15: gzip-1.3.5-cve-2006-4337.patch
URL: http://www.gzip.org/
Prereq: /sbin/install-info
Requires: mktemp less
@ -40,6 +45,11 @@ very commonly used data compression program.
%patch8 -p0 -b .sed
%patch9 -p1 -b .perm
%patch10 -p1 -b .dir
%patch11 -p1 -b .4334
%patch12 -p1 -b .4335
%patch13 -p1 -b .4336
%patch14 -p1 -b .4338
%patch15 -p1 -b .4337
%build
export DEFS="NO_ASM"
@ -85,6 +95,14 @@ fi
%{_infodir}/gzip.info*
%changelog
* Wed Sep 20 2006 Ivana Varekova <varekova@redhat.com> 1.3.5-8
- fix bug 204676 (patches by Tavis Ormandy)
- cve-2006-4334 - null dereference problem
- cve-2006-4335 - buffer overflow problem
- cve-2006-4336 - buffer underflow problem
- cve-2006-4338 - infinite loop problem
- cve-2006-4337 - buffer overflow problem
* Fri Jul 14 2006 Karsten Hopp <karsten@redhat.de> 1.3.5-7
- buildrequire texinfo, otherwise gzip.info will be empty