diff --git a/gzip-1.3.5-cve-2006-4335.patch b/gzip-1.3.5-cve-2006-4335.patch new file mode 100644 index 0000000..c750bbc --- /dev/null +++ b/gzip-1.3.5-cve-2006-4335.patch @@ -0,0 +1,15 @@ +--- gzip-1.3.3/unlzh.c.4335 1999-10-06 07:00:00.000000000 +0200 ++++ gzip-1.3.3/unlzh.c 2006-09-07 09:41:41.000000000 +0200 +@@ -149,7 +149,11 @@ + unsigned i, k, len, ch, jutbits, avail, nextcode, mask; + + for (i = 1; i <= 16; i++) count[i] = 0; +- for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++; ++ for (i = 0; i < (unsigned)nchar; i++) { ++ if (bitlen[i] > 16) ++ error("Bad table (case a)\n"); ++ else count[bitlen[i]]++; ++ } + + start[1] = 0; + for (i = 1; i <= 16; i++) diff --git a/gzip-1.3.5-cve-2006-4336.patch b/gzip-1.3.5-cve-2006-4336.patch new file mode 100644 index 0000000..ecc7479 --- /dev/null +++ b/gzip-1.3.5-cve-2006-4336.patch @@ -0,0 +1,20 @@ +--- gzip-1.3.3/unpack.c.4336 1999-10-06 07:00:00.000000000 +0200 ++++ gzip-1.3.3/unpack.c 2006-09-07 10:49:08.000000000 +0200 +@@ -133,7 +133,7 @@ + /* Remember where the literals of this length start in literal[] : */ + lit_base[len] = base; + /* And read the literals: */ +- for (n = leaves[len]; n > 0; n--) { ++ for (n = leaves[len]; n > 0 && base < LITERALS; n--) { + literal[base++] = (uch)get_byte(); + } + } +@@ -169,7 +169,7 @@ + prefixp = &prefix_len[1< prefix_len) *--prefixp = (uch)len; + } + /* The length of all other codes is unknown: */ + while (prefixp > prefix_len) *--prefixp = 0; diff --git a/gzip-1.3.5-cve-2006-4338.patch b/gzip-1.3.5-cve-2006-4338.patch new file mode 100644 index 0000000..449ba1b --- /dev/null +++ b/gzip-1.3.5-cve-2006-4338.patch @@ -0,0 +1,29 @@ +--- gzip-1.3.3/unlzh.c.4338 2006-09-07 10:49:31.000000000 +0200 ++++ gzip-1.3.3/unlzh.c 2006-09-07 11:37:53.000000000 +0200 +@@ -260,7 +260,7 @@ + if (bitbuf & mask) c = right[c]; + else c = left [c]; + mask >>= 1; +- } while (c >= NT); ++ } while (c >= NT && (mask || c != left[c])); + } + fillbuf((int) pt_len[c]); + if (c <= 2) { +@@ -296,7 +296,7 @@ + if (bitbuf & mask) j = right[j]; + else j = left [j]; + mask >>= 1; +- } while (j >= NC); ++ } while (j >= NC && (mask || j != left[j])); + } + fillbuf((int) c_len[j]); + return j; +@@ -313,7 +313,7 @@ + if (bitbuf & mask) j = right[j]; + else j = left [j]; + mask >>= 1; +- } while (j >= NP); ++ } while (j >= NP && (mask || j != left[j])); + } + fillbuf((int) pt_len[j]); + if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1)); diff --git a/gzip.spec b/gzip.spec index 2087a28..fd3c620 100644 --- a/gzip.spec +++ b/gzip.spec @@ -1,7 +1,7 @@ Summary: The GNU data compression program. Name: gzip Version: 1.3.5 -Release: 7 +Release: 8 License: GPL Group: Applications/File Source: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz @@ -15,6 +15,11 @@ Patch7: gzip-1.3.3-addsuffix.patch Patch8: gzip-1.3.5-zgrep-sed.patch Patch9: gzip-1.3.5-gzip-perm.patch Patch10: gzip-1.3.5-gunzip-dir.patch +Patch11: gzip-1.3.5-cve-2006-4334.patch +Patch12: gzip-1.3.5-cve-2006-4335.patch +Patch13: gzip-1.3.5-cve-2006-4336.patch +Patch14: gzip-1.3.5-cve-2006-4338.patch +Patch15: gzip-1.3.5-cve-2006-4337.patch URL: http://www.gzip.org/ Prereq: /sbin/install-info Requires: mktemp less @@ -40,6 +45,11 @@ very commonly used data compression program. %patch8 -p0 -b .sed %patch9 -p1 -b .perm %patch10 -p1 -b .dir +%patch11 -p1 -b .4334 +%patch12 -p1 -b .4335 +%patch13 -p1 -b .4336 +%patch14 -p1 -b .4338 +%patch15 -p1 -b .4337 %build export DEFS="NO_ASM" @@ -85,6 +95,14 @@ fi %{_infodir}/gzip.info* %changelog +* Wed Sep 20 2006 Ivana Varekova 1.3.5-8 +- fix bug 204676 (patches by Tavis Ormandy) + - cve-2006-4334 - null dereference problem + - cve-2006-4335 - buffer overflow problem + - cve-2006-4336 - buffer underflow problem + - cve-2006-4338 - infinite loop problem + - cve-2006-4337 - buffer overflow problem + * Fri Jul 14 2006 Karsten Hopp 1.3.5-7 - buildrequire texinfo, otherwise gzip.info will be empty