1 ----------------- 6 Oct. 2006 - update ---------------------- |
|
2 Previous source patch (gzip.1.3.3.patch) was revised to |
|
3 gzip-6294656-6283819-diff |
|
4 Security issue CVE-2006-4334 |
|
5 synopsis: gzip multiple issues (CVE-2006-4335, CVE-2006-4336 |
|
6 , CVE-2006-4337, CVE-2006-4338) |
|
7 Is fixed by gzip-security-diff |
|
8 "gzip --version" info is updated by gzip.c-message-diff |
|
9 ------------------- original text --------------------------- |
|
10 The version of Gzip contained in this gate, 1.3.3, is the latest |
|
11 version released by the official maintainers. Following the release of |
|
12 this version, a number of issues were discovered which affected |
|
13 Solaris and for which it was deemed important to release a patch. |
|
14 However, the Gzip source code is no longer being maintained by the |
|
15 community. As a result, the diff file gzip-1.3.3.patch was created |
|
16 which contains the differences between our released version and the |
|
17 current official release. This is applied using gpatch during the |
|
18 build process. |
|
19 |
|
20 In order to distinguish the Sun patched version from the official |
|
21 community version, the version number as reported by the utility at |
|
22 runtime has been changed to: 1.3.3-patch.1 |
|
23 |
|
24 If in the future a new official version of Gzip is released, it should |
|
25 be determined whether that later version still contains the problems |
|
26 fixed by this patch. If it does not, this patch can be removed from |
|
27 the gate and the build process when the later version is integrated |
|
28 into the gate. If they are still present, this patch will have to be |
|
29 modified to be applicable to that later version before it is |
|
30 integrated into the gate. |
|
31 |
|
32 The patch file contains the following changes: |
|
33 |
|
34 1) configure : The version number used during build time has been |
|
35 modifed as described above. |
|
36 |
|
37 2) gzip.c: [ 6283819 gzip TOCTOU file-permissions vulnerability ] |
|
38 |
|
39 The code for this fix came from the patch used by the Debian |
|
40 community to address the same issue in their distribution, and was |
|
41 extracted from the patch downloaded from: |
|
42 |
|
43 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5.diff.gz |
|
44 |
|
45 3) gzip.c: [ 6294656 gzip vulnerability <=1.3.5: a malicious archive |
|
46 may write unintended files when uncompressed with -N ] |
|
47 |
|
48 The code for this fix came from the patch used by the Debian |
|
49 community to address the same issue in their distribution, and was |
|
50 extracted from the patch downloaded from: |
|
51 |
|
52 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5.diff.gz |
|