rpms/gzip/devel gzip-1.3.5-cve-2006-4334.patch, NONE, 1.1 gzip-1.3.5-cve-2006-4335.patch, NONE, 1.1 gzip-1.3.5-cve-2006-4336.patch, NONE, 1.1 gzip-1.3.5-cve-2006-4337.patch, NONE, 1.1 gzip-1.3.5-cve-2006-4338.patch, NONE, 1.1 gzip.spec, 1.26, 1.27

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Sep 20 10:52:36 UTC 2006 

Author: varekova

Update of /cvs/dist/rpms/gzip/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv1696

Modified Files:
	gzip.spec 
Added Files:
	gzip-1.3.5-cve-2006-4334.patch gzip-1.3.5-cve-2006-4335.patch 
	gzip-1.3.5-cve-2006-4336.patch gzip-1.3.5-cve-2006-4337.patch 
	gzip-1.3.5-cve-2006-4338.patch 
Log Message:
- fix bug 204676 (patches by Tavis Ormandy)


gzip-1.3.5-cve-2006-4334.patch:
 inflate.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE gzip-1.3.5-cve-2006-4334.patch ---
--- gzip-1.3/inflate.c.4334	1999-10-06 07:01:41.000000000 +0200
+++ gzip-1.3/inflate.c	2006-09-06 15:08:32.000000000 +0200
@@ -315,7 +315,7 @@
   {
     *t = (struct huft *)NULL;
     *m = 0;
-    return 0;
+    return 2;
   }
 
 

gzip-1.3.5-cve-2006-4335.patch:
 unlzh.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletion(-)

--- NEW FILE gzip-1.3.5-cve-2006-4335.patch ---
--- gzip-1.3.3/unlzh.c.4335	1999-10-06 07:00:00.000000000 +0200
+++ gzip-1.3.3/unlzh.c	2006-09-07 09:41:41.000000000 +0200
@@ -149,7 +149,11 @@
     unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
 
     for (i = 1; i <= 16; i++) count[i] = 0;
-    for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
+    for (i = 0; i < (unsigned)nchar; i++) {
+        if (bitlen[i] > 16)
+        error("Bad table (case a)\n");
+        else count[bitlen[i]]++;
+    }
 
     start[1] = 0;
     for (i = 1; i <= 16; i++)

gzip-1.3.5-cve-2006-4336.patch:
 unpack.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE gzip-1.3.5-cve-2006-4336.patch ---
--- gzip-1.3.3/unpack.c.4336	1999-10-06 07:00:00.000000000 +0200
+++ gzip-1.3.3/unpack.c	2006-09-07 10:49:08.000000000 +0200
@@ -133,7 +133,7 @@
 	/* Remember where the literals of this length start in literal[] : */
 	lit_base[len] = base;
 	/* And read the literals: */
-	for (n = leaves[len]; n > 0; n--) {
+	for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
 	    literal[base++] = (uch)get_byte();
 	}
     }
@@ -169,7 +169,7 @@
     prefixp = &prefix_len[1<<peek_bits];
     for (len = 1; len <= peek_bits; len++) {
 	int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
-	while (prefixes--) *--prefixp = (uch)len;
+	while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
     }
     /* The length of all other codes is unknown: */
     while (prefixp > prefix_len) *--prefixp = 0;

gzip-1.3.5-cve-2006-4337.patch:
 gzip.h   |    2 ++
 unlzh.c  |   24 ++++++++++++------------
 unpack.c |    1 -
 3 files changed, 14 insertions(+), 13 deletions(-)

--- NEW FILE gzip-1.3.5-cve-2006-4337.patch ---
--- gzip-1.3.3/unlzh.c.4337	2006-09-07 13:26:24.000000000 +0200
+++ gzip-1.3.3/unlzh.c	2006-09-07 13:26:50.000000000 +0200
@@ -158,8 +158,8 @@
     start[1] = 0;
     for (i = 1; i <= 16; i++)
 	start[i + 1] = start[i] + (count[i] << (16 - i));
-    if ((start[17] & 0xffff) != 0)
-	error("Bad table\n");
+    if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
+       error("Bad table (case b)\n");
 
     jutbits = 16 - tablebits;
     for (i = 1; i <= (unsigned)tablebits; i++) {
@@ -173,15 +173,15 @@
 
     i = start[tablebits + 1] >> jutbits;
     if (i != 0) {
-	k = 1 << tablebits;
-	while (i != k) table[i++] = 0;
+        k = MIN(1 << tablebits, DIST_BUFSIZE);
+        while (i < k) table[i++] = 0;    
     }
 
     avail = nchar;
     mask = (unsigned) 1 << (15 - tablebits);
     for (ch = 0; ch < (unsigned)nchar; ch++) {
 	if ((len = bitlen[ch]) == 0) continue;
-	nextcode = start[len] + weight[len];
+	nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
 	if (len <= (unsigned)tablebits) {
 	    for (i = start[len]; i < nextcode; i++) table[i] = ch;
 	} else {
@@ -222,7 +222,7 @@
 	for (i = 0; i < 256; i++) pt_table[i] = c;
     } else {
 	i = 0;
-	while (i < n) {
+	while (i < MIN(n,NPT)) {
 	    c = bitbuf >> (BITBUFSIZ - 3);
 	    if (c == 7) {
 		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
@@ -232,7 +232,7 @@
 	    pt_len[i++] = c;
 	    if (i == i_special) {
 		c = getbits(2);
-		while (--c >= 0) pt_len[i++] = 0;
+		while (--c >= 0 && i < NPT) pt_len[i++] = 0;
 	    }
 	}
 	while (i < nn) pt_len[i++] = 0;
@@ -252,7 +252,7 @@
 	for (i = 0; i < 4096; i++) c_table[i] = c;
     } else {
 	i = 0;
-	while (i < n) {
+	while (i < MIN(n,NC)) {
 	    c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
 	    if (c >= NT) {
 		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
@@ -267,7 +267,7 @@
 		if      (c == 0) c = 1;
 		else if (c == 1) c = getbits(4) + 3;
 		else             c = getbits(CBIT) + 20;
-		while (--c >= 0) c_len[i++] = 0;
+		while (--c >= 0 && i < NC) c_len[i++] = 0; 
 	    } else c_len[i++] = c - 2;
 	}
 	while (i < NC) c_len[i++] = 0;
@@ -360,7 +360,7 @@
     while (--j >= 0) {
 	buffer[r] = buffer[i];
 	i = (i + 1) & (DICSIZ - 1);
-	if (++r == count) return r;
+	if (++r >= count) return r;
     }
     for ( ; ; ) {
 	c = decode_c();
@@ -370,14 +370,14 @@
 	}
 	if (c <= UCHAR_MAX) {
 	    buffer[r] = c;
-	    if (++r == count) return r;
+	    if (++r >= count) return r;
 	} else {
 	    j = c - (UCHAR_MAX + 1 - THRESHOLD);
 	    i = (r - decode_p() - 1) & (DICSIZ - 1);
 	    while (--j >= 0) {
 		buffer[r] = buffer[i];
 		i = (i + 1) & (DICSIZ - 1);
-		if (++r == count) return r;
+		if (++r >= count) return r;
 	    }
 	}
     }
--- gzip-1.3.3/gzip.h.4337	2006-09-07 13:26:24.000000000 +0200
+++ gzip-1.3.3/gzip.h	2006-09-07 13:26:24.000000000 +0200
@@ -199,6 +199,8 @@
 extern int to_stdout;      /* output to stdout (-c) */
 extern int save_orig_name; /* set if original name must be saved */
 
+#define MIN(a,b) ((a) <= (b) ? (a) : (b))
+
 #define get_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
 #define try_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
 
--- gzip-1.3.3/unpack.c.4337	2006-09-07 13:26:24.000000000 +0200
+++ gzip-1.3.3/unpack.c	2006-09-07 13:26:24.000000000 +0200
@@ -13,7 +13,6 @@
 #include "gzip.h"
 #include "crypt.h"
 
-#define MIN(a,b) ((a) <= (b) ? (a) : (b))
 /* The arguments must not have side effects. */
 
 #define MAX_BITLEN 25

gzip-1.3.5-cve-2006-4338.patch:
 unlzh.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

--- NEW FILE gzip-1.3.5-cve-2006-4338.patch ---
--- gzip-1.3.3/unlzh.c.4338	2006-09-07 10:49:31.000000000 +0200
+++ gzip-1.3.3/unlzh.c	2006-09-07 11:37:53.000000000 +0200
@@ -260,7 +260,7 @@
 		    if (bitbuf & mask) c = right[c];
 		    else               c = left [c];
 		    mask >>= 1;
-		} while (c >= NT);
+		} while (c >= NT && (mask || c != left[c]));
 	    }
 	    fillbuf((int) pt_len[c]);
 	    if (c <= 2) {
@@ -296,7 +296,7 @@
 	    if (bitbuf & mask) j = right[j];
 	    else               j = left [j];
 	    mask >>= 1;
-	} while (j >= NC);
+	} while (j >= NC && (mask || j != left[j])); 
     }
     fillbuf((int) c_len[j]);
     return j;
@@ -313,7 +313,7 @@
 	    if (bitbuf & mask) j = right[j];
 	    else               j = left [j];
 	    mask >>= 1;
-	} while (j >= NP);
+	} while (j >= NP && (mask || j != left[j]));
     }
     fillbuf((int) pt_len[j]);
     if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));


Index: gzip.spec
===================================================================
RCS file: /cvs/dist/rpms/gzip/devel/gzip.spec,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- gzip.spec	14 Jul 2006 20:20:17 -0000	1.26
+++ gzip.spec	20 Sep 2006 10:52:34 -0000	1.27
@@ -1,7 +1,7 @@
 Summary: The GNU data compression program.
 Name: gzip
 Version: 1.3.5
-Release: 7
+Release: 8
 License: GPL
 Group: Applications/File
 Source: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz
@@ -15,6 +15,11 @@
 Patch8: gzip-1.3.5-zgrep-sed.patch
 Patch9: gzip-1.3.5-gzip-perm.patch
 Patch10: gzip-1.3.5-gunzip-dir.patch
+Patch11: gzip-1.3.5-cve-2006-4334.patch
+Patch12: gzip-1.3.5-cve-2006-4335.patch
+Patch13: gzip-1.3.5-cve-2006-4336.patch
+Patch14: gzip-1.3.5-cve-2006-4338.patch
+Patch15: gzip-1.3.5-cve-2006-4337.patch
 URL: http://www.gzip.org/
 Prereq: /sbin/install-info
 Requires: mktemp less
@@ -40,6 +45,11 @@
 %patch8 -p0 -b .sed
 %patch9 -p1 -b .perm
 %patch10 -p1 -b .dir
+%patch11 -p1 -b .4334
+%patch12 -p1 -b .4335
+%patch13 -p1 -b .4336
+%patch14 -p1 -b .4338
+%patch15 -p1 -b .4337
 
 %build
 export DEFS="NO_ASM"
@@ -85,6 +95,14 @@
 %{_infodir}/gzip.info*
 
 %changelog
+* Wed Sep 20 2006 Ivana Varekova <varekova at redhat.com> 1.3.5-8
+- fix bug 204676 (patches by Tavis Ormandy)
+  - cve-2006-4334 - null dereference problem
+  - cve-2006-4335 - buffer overflow problem
+  - cve-2006-4336 - buffer underflow problem
+  - cve-2006-4338 - infinite loop problem
+  - cve-2006-4337 - buffer overflow problem
+
 * Fri Jul 14 2006 Karsten Hopp <karsten at redhat.de> 1.3.5-7
 - buildrequire texinfo, otherwise gzip.info will be empty

More information about the fedora-cvs-commits mailing list