From 82ec7c018bcc1277d6c364101c5c20eeb632737c Mon Sep 17 00:00:00 2001
From: Ivana Varekova <varekova@fedoraproject.org>
Date: Wed, 20 Sep 2006 10:52:34 +0000
Subject: [PATCH] - fix bug 204676 (patches by Tavis Ormandy)

---
 gzip-1.3.5-cve-2006-4335.patch | 15 +++++++++++++++
 gzip-1.3.5-cve-2006-4336.patch | 20 ++++++++++++++++++++
 gzip-1.3.5-cve-2006-4338.patch | 29 +++++++++++++++++++++++++++++
 gzip.spec                      | 20 +++++++++++++++++++-
 4 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 gzip-1.3.5-cve-2006-4335.patch
 create mode 100644 gzip-1.3.5-cve-2006-4336.patch
 create mode 100644 gzip-1.3.5-cve-2006-4338.patch

diff --git a/gzip-1.3.5-cve-2006-4335.patch b/gzip-1.3.5-cve-2006-4335.patch
new file mode 100644
index 0000000..c750bbc
--- /dev/null
+++ b/gzip-1.3.5-cve-2006-4335.patch
@@ -0,0 +1,15 @@
+--- gzip-1.3.3/unlzh.c.4335	1999-10-06 07:00:00.000000000 +0200
++++ gzip-1.3.3/unlzh.c	2006-09-07 09:41:41.000000000 +0200
+@@ -149,7 +149,11 @@
+     unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
+ 
+     for (i = 1; i <= 16; i++) count[i] = 0;
+-    for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
++    for (i = 0; i < (unsigned)nchar; i++) {
++        if (bitlen[i] > 16)
++        error("Bad table (case a)\n");
++        else count[bitlen[i]]++;
++    }
+ 
+     start[1] = 0;
+     for (i = 1; i <= 16; i++)
diff --git a/gzip-1.3.5-cve-2006-4336.patch b/gzip-1.3.5-cve-2006-4336.patch
new file mode 100644
index 0000000..ecc7479
--- /dev/null
+++ b/gzip-1.3.5-cve-2006-4336.patch
@@ -0,0 +1,20 @@
+--- gzip-1.3.3/unpack.c.4336	1999-10-06 07:00:00.000000000 +0200
++++ gzip-1.3.3/unpack.c	2006-09-07 10:49:08.000000000 +0200
+@@ -133,7 +133,7 @@
+ 	/* Remember where the literals of this length start in literal[] : */
+ 	lit_base[len] = base;
+ 	/* And read the literals: */
+-	for (n = leaves[len]; n > 0; n--) {
++	for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
+ 	    literal[base++] = (uch)get_byte();
+ 	}
+     }
+@@ -169,7 +169,7 @@
+     prefixp = &prefix_len[1<<peek_bits];
+     for (len = 1; len <= peek_bits; len++) {
+ 	int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
+-	while (prefixes--) *--prefixp = (uch)len;
++	while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
+     }
+     /* The length of all other codes is unknown: */
+     while (prefixp > prefix_len) *--prefixp = 0;
diff --git a/gzip-1.3.5-cve-2006-4338.patch b/gzip-1.3.5-cve-2006-4338.patch
new file mode 100644
index 0000000..449ba1b
--- /dev/null
+++ b/gzip-1.3.5-cve-2006-4338.patch
@@ -0,0 +1,29 @@
+--- gzip-1.3.3/unlzh.c.4338	2006-09-07 10:49:31.000000000 +0200
++++ gzip-1.3.3/unlzh.c	2006-09-07 11:37:53.000000000 +0200
+@@ -260,7 +260,7 @@
+ 		    if (bitbuf & mask) c = right[c];
+ 		    else               c = left [c];
+ 		    mask >>= 1;
+-		} while (c >= NT);
++		} while (c >= NT && (mask || c != left[c]));
+ 	    }
+ 	    fillbuf((int) pt_len[c]);
+ 	    if (c <= 2) {
+@@ -296,7 +296,7 @@
+ 	    if (bitbuf & mask) j = right[j];
+ 	    else               j = left [j];
+ 	    mask >>= 1;
+-	} while (j >= NC);
++	} while (j >= NC && (mask || j != left[j])); 
+     }
+     fillbuf((int) c_len[j]);
+     return j;
+@@ -313,7 +313,7 @@
+ 	    if (bitbuf & mask) j = right[j];
+ 	    else               j = left [j];
+ 	    mask >>= 1;
+-	} while (j >= NP);
++	} while (j >= NP && (mask || j != left[j]));
+     }
+     fillbuf((int) pt_len[j]);
+     if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));
diff --git a/gzip.spec b/gzip.spec
index 2087a28..fd3c620 100644
--- a/gzip.spec
+++ b/gzip.spec
@@ -1,7 +1,7 @@
 Summary: The GNU data compression program.
 Name: gzip
 Version: 1.3.5
-Release: 7
+Release: 8
 License: GPL
 Group: Applications/File
 Source: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz
@@ -15,6 +15,11 @@ Patch7: gzip-1.3.3-addsuffix.patch
 Patch8: gzip-1.3.5-zgrep-sed.patch
 Patch9: gzip-1.3.5-gzip-perm.patch
 Patch10: gzip-1.3.5-gunzip-dir.patch
+Patch11: gzip-1.3.5-cve-2006-4334.patch
+Patch12: gzip-1.3.5-cve-2006-4335.patch
+Patch13: gzip-1.3.5-cve-2006-4336.patch
+Patch14: gzip-1.3.5-cve-2006-4338.patch
+Patch15: gzip-1.3.5-cve-2006-4337.patch
 URL: http://www.gzip.org/
 Prereq: /sbin/install-info
 Requires: mktemp less
@@ -40,6 +45,11 @@ very commonly used data compression program.
 %patch8 -p0 -b .sed
 %patch9 -p1 -b .perm
 %patch10 -p1 -b .dir
+%patch11 -p1 -b .4334
+%patch12 -p1 -b .4335
+%patch13 -p1 -b .4336
+%patch14 -p1 -b .4338
+%patch15 -p1 -b .4337
 
 %build
 export DEFS="NO_ASM"
@@ -85,6 +95,14 @@ fi
 %{_infodir}/gzip.info*
 
 %changelog
+* Wed Sep 20 2006 Ivana Varekova <varekova@redhat.com> 1.3.5-8
+- fix bug 204676 (patches by Tavis Ormandy)
+  - cve-2006-4334 - null dereference problem
+  - cve-2006-4335 - buffer overflow problem
+  - cve-2006-4336 - buffer underflow problem
+  - cve-2006-4338 - infinite loop problem
+  - cve-2006-4337 - buffer overflow problem
+
 * Fri Jul 14 2006 Karsten Hopp <karsten@redhat.de> 1.3.5-7
 - buildrequire texinfo, otherwise gzip.info will be empty