Mercurial Mercurial > sustaining > oi_151a > sfw-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
usr/src/cmd/gzip/README.patch
branchoi_151a
changeset 211 8a6d16a6b5de
parent 210 b3ba25e86a27
child 212 05fe98e59aac
equal deleted inserted replaced
210:b3ba25e86a27 211:8a6d16a6b5de 
     1 ----------------- 6 Oct. 2006 - update ----------------------
 
       
     2 Previous source patch (gzip.1.3.3.patch) was revised to 
       
     3 gzip-6294656-6283819-diff
 
       
     4 Security issue CVE-2006-4334 
       
     5 synopsis: gzip multiple issues (CVE-2006-4335, CVE-2006-4336
 
       
     6 , CVE-2006-4337, CVE-2006-4338)
 
       
     7 Is fixed by gzip-security-diff
 
       
     8 "gzip --version" info is updated by gzip.c-message-diff
 
       
     9 ------------------- original text ---------------------------
 
       
    10 The version of Gzip contained in this gate, 1.3.3, is the latest
 
       
    11 version released by the official maintainers. Following the release of
 
       
    12 this version, a number of issues were discovered which affected
 
       
    13 Solaris and for which it was deemed important to release a patch.
 
       
    14 However, the Gzip source code is no longer being maintained by the
 
       
    15 community. As a result, the diff file gzip-1.3.3.patch was created
 
       
    16 which contains the differences between our released version and the
 
       
    17 current official release. This is applied using gpatch during the
 
       
    18 build process.
 
       
    19 
       
    20 In order to distinguish the Sun patched version from the official
 
       
    21 community version, the version number as reported by the utility at
 
       
    22 runtime has been changed to: 1.3.3-patch.1
 
       
    23 
       
    24 If in the future a new official version of Gzip is released, it should
 
       
    25 be determined whether that later version still contains the problems
 
       
    26 fixed by this patch. If it does not, this patch can be removed from
 
       
    27 the gate and the build process when the later version is integrated
 
       
    28 into the gate. If they are still present, this patch will have to be
 
       
    29 modified to be applicable to that later version before it is
 
       
    30 integrated into the gate.
 
       
    31 
       
    32 The patch file contains the following changes:
 
       
    33 
       
    34 1) configure : The version number used during build time has been
 
       
    35    modifed as described above.
 
       
    36 
       
    37 2) gzip.c: [ 6283819 gzip TOCTOU file-permissions vulnerability ]
 
       
    38 
       
    39    The code for this fix came from the patch used by the Debian
 
       
    40    community to address the same issue in their distribution, and was
 
       
    41    extracted from the patch downloaded from:
 
       
    42 
       
    43 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5.diff.gz
 
       
    44 
       
    45 3) gzip.c: [ 6294656 gzip vulnerability <=1.3.5: a malicious archive
 
       
    46    may write unintended files when uncompressed with -N ]
 
       
    47 
       
    48    The code for this fix came from the patch used by the Debian
 
       
    49    community to address the same issue in their distribution, and was
 
       
    50    extracted from the patch downloaded from:
 
       
    51 
       
    52 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.2-3woody5.diff.gz
sustaining/oi_151a/sfw-gate