- fix bug 204676 (patches by Tavis Ormandy)
This commit is contained in:
parent
bddd3b8a0e
commit
82ec7c018b
15
gzip-1.3.5-cve-2006-4335.patch
Normal file
15
gzip-1.3.5-cve-2006-4335.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
--- gzip-1.3.3/unlzh.c.4335 1999-10-06 07:00:00.000000000 +0200
|
||||||
|
+++ gzip-1.3.3/unlzh.c 2006-09-07 09:41:41.000000000 +0200
|
||||||
|
@@ -149,7 +149,11 @@
|
||||||
|
unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
|
||||||
|
|
||||||
|
for (i = 1; i <= 16; i++) count[i] = 0;
|
||||||
|
- for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
|
||||||
|
+ for (i = 0; i < (unsigned)nchar; i++) {
|
||||||
|
+ if (bitlen[i] > 16)
|
||||||
|
+ error("Bad table (case a)\n");
|
||||||
|
+ else count[bitlen[i]]++;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
start[1] = 0;
|
||||||
|
for (i = 1; i <= 16; i++)
|
20
gzip-1.3.5-cve-2006-4336.patch
Normal file
20
gzip-1.3.5-cve-2006-4336.patch
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
--- gzip-1.3.3/unpack.c.4336 1999-10-06 07:00:00.000000000 +0200
|
||||||
|
+++ gzip-1.3.3/unpack.c 2006-09-07 10:49:08.000000000 +0200
|
||||||
|
@@ -133,7 +133,7 @@
|
||||||
|
/* Remember where the literals of this length start in literal[] : */
|
||||||
|
lit_base[len] = base;
|
||||||
|
/* And read the literals: */
|
||||||
|
- for (n = leaves[len]; n > 0; n--) {
|
||||||
|
+ for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
|
||||||
|
literal[base++] = (uch)get_byte();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -169,7 +169,7 @@
|
||||||
|
prefixp = &prefix_len[1<<peek_bits];
|
||||||
|
for (len = 1; len <= peek_bits; len++) {
|
||||||
|
int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
|
||||||
|
- while (prefixes--) *--prefixp = (uch)len;
|
||||||
|
+ while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
|
||||||
|
}
|
||||||
|
/* The length of all other codes is unknown: */
|
||||||
|
while (prefixp > prefix_len) *--prefixp = 0;
|
29
gzip-1.3.5-cve-2006-4338.patch
Normal file
29
gzip-1.3.5-cve-2006-4338.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
--- gzip-1.3.3/unlzh.c.4338 2006-09-07 10:49:31.000000000 +0200
|
||||||
|
+++ gzip-1.3.3/unlzh.c 2006-09-07 11:37:53.000000000 +0200
|
||||||
|
@@ -260,7 +260,7 @@
|
||||||
|
if (bitbuf & mask) c = right[c];
|
||||||
|
else c = left [c];
|
||||||
|
mask >>= 1;
|
||||||
|
- } while (c >= NT);
|
||||||
|
+ } while (c >= NT && (mask || c != left[c]));
|
||||||
|
}
|
||||||
|
fillbuf((int) pt_len[c]);
|
||||||
|
if (c <= 2) {
|
||||||
|
@@ -296,7 +296,7 @@
|
||||||
|
if (bitbuf & mask) j = right[j];
|
||||||
|
else j = left [j];
|
||||||
|
mask >>= 1;
|
||||||
|
- } while (j >= NC);
|
||||||
|
+ } while (j >= NC && (mask || j != left[j]));
|
||||||
|
}
|
||||||
|
fillbuf((int) c_len[j]);
|
||||||
|
return j;
|
||||||
|
@@ -313,7 +313,7 @@
|
||||||
|
if (bitbuf & mask) j = right[j];
|
||||||
|
else j = left [j];
|
||||||
|
mask >>= 1;
|
||||||
|
- } while (j >= NP);
|
||||||
|
+ } while (j >= NP && (mask || j != left[j]));
|
||||||
|
}
|
||||||
|
fillbuf((int) pt_len[j]);
|
||||||
|
if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));
|
20
gzip.spec
20
gzip.spec
@ -1,7 +1,7 @@
|
|||||||
Summary: The GNU data compression program.
|
Summary: The GNU data compression program.
|
||||||
Name: gzip
|
Name: gzip
|
||||||
Version: 1.3.5
|
Version: 1.3.5
|
||||||
Release: 7
|
Release: 8
|
||||||
License: GPL
|
License: GPL
|
||||||
Group: Applications/File
|
Group: Applications/File
|
||||||
Source: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz
|
Source: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz
|
||||||
@ -15,6 +15,11 @@ Patch7: gzip-1.3.3-addsuffix.patch
|
|||||||
Patch8: gzip-1.3.5-zgrep-sed.patch
|
Patch8: gzip-1.3.5-zgrep-sed.patch
|
||||||
Patch9: gzip-1.3.5-gzip-perm.patch
|
Patch9: gzip-1.3.5-gzip-perm.patch
|
||||||
Patch10: gzip-1.3.5-gunzip-dir.patch
|
Patch10: gzip-1.3.5-gunzip-dir.patch
|
||||||
|
Patch11: gzip-1.3.5-cve-2006-4334.patch
|
||||||
|
Patch12: gzip-1.3.5-cve-2006-4335.patch
|
||||||
|
Patch13: gzip-1.3.5-cve-2006-4336.patch
|
||||||
|
Patch14: gzip-1.3.5-cve-2006-4338.patch
|
||||||
|
Patch15: gzip-1.3.5-cve-2006-4337.patch
|
||||||
URL: http://www.gzip.org/
|
URL: http://www.gzip.org/
|
||||||
Prereq: /sbin/install-info
|
Prereq: /sbin/install-info
|
||||||
Requires: mktemp less
|
Requires: mktemp less
|
||||||
@ -40,6 +45,11 @@ very commonly used data compression program.
|
|||||||
%patch8 -p0 -b .sed
|
%patch8 -p0 -b .sed
|
||||||
%patch9 -p1 -b .perm
|
%patch9 -p1 -b .perm
|
||||||
%patch10 -p1 -b .dir
|
%patch10 -p1 -b .dir
|
||||||
|
%patch11 -p1 -b .4334
|
||||||
|
%patch12 -p1 -b .4335
|
||||||
|
%patch13 -p1 -b .4336
|
||||||
|
%patch14 -p1 -b .4338
|
||||||
|
%patch15 -p1 -b .4337
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export DEFS="NO_ASM"
|
export DEFS="NO_ASM"
|
||||||
@ -85,6 +95,14 @@ fi
|
|||||||
%{_infodir}/gzip.info*
|
%{_infodir}/gzip.info*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 20 2006 Ivana Varekova <varekova@redhat.com> 1.3.5-8
|
||||||
|
- fix bug 204676 (patches by Tavis Ormandy)
|
||||||
|
- cve-2006-4334 - null dereference problem
|
||||||
|
- cve-2006-4335 - buffer overflow problem
|
||||||
|
- cve-2006-4336 - buffer underflow problem
|
||||||
|
- cve-2006-4338 - infinite loop problem
|
||||||
|
- cve-2006-4337 - buffer overflow problem
|
||||||
|
|
||||||
* Fri Jul 14 2006 Karsten Hopp <karsten@redhat.de> 1.3.5-7
|
* Fri Jul 14 2006 Karsten Hopp <karsten@redhat.de> 1.3.5-7
|
||||||
- buildrequire texinfo, otherwise gzip.info will be empty
|
- buildrequire texinfo, otherwise gzip.info will be empty
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user