[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fix for CVE-2010-0001, gzip-1.4 to be released shortly
|
From: |
Mike Frysinger |
|
Subject: |
Re: fix for CVE-2010-0001, gzip-1.4 to be released shortly |
|
Date: |
Tue, 2 Feb 2010 23:35:10 -0500 |
|
User-agent: |
KMail/1.12.4 (Linux/2.6.32.6; KDE/4.3.4; x86_64; ; ) |
On Monday 01 February 2010 03:54:02 Jim Meyering wrote:
> Mike Frysinger wrote:
> > On Wednesday 20 January 2010 11:01:31 Jim Meyering wrote:
> >> Here's the patch for CVE-2010-0001,
> >> along with a test to exercise the offending code.
> >>
> >> I expect to release gzip-1.4 within the next few hours.
> >>
> >> From a3db5806d012082b9e25cc36d09f19cd736a468f Mon Sep 17 00:00:00 2001
> >> From: Jim Meyering <address@hidden>
> >> Date: Sun, 10 Jan 2010 17:13:01 +0100
> >> Subject: [PATCH 1/2] gzip -d: do not clobber stack for valid input on
> >> x86_64
> >>
> >> * unlzw.c (unlzw): Avoid integer overflow.
> >> Aki Helin reported the segfault along with an input to trigger the bug.
> >
> > this code applies unchanged (not surprisingly) to the original lzw
> > implementation. but the redhat bug report says that the issue doesnt
> > apply to the original ncompress (4.2.4) implementation ?
>
> I'm glad you checked. If the buggy code is there, too, then maybe there's
> an easy way to trigger a similar failure. I tested "compress" and saw no
> failure, and so didn't go through it in the debugger like I did for gzip.
>
> > not sure if you want to just keep the inner details off of public lists
> > ...
>
> Considering the relatively limited exposure via ncompress,
> it seems like it'd be ok to talk about it in public.
> But if you've found an exploit, you'll have to judge.
i have no such archives to trigger crashes, it's just that i've been keeping
ncompess up-to-date on ncompress.sf.net. i put out a new version including
this fix (among others).
-mike
signature.asc
Description: This is a digitally signed message part.