rpms/gzip/devel gzip-1.3.5-cve-2006-4334.patch, NONE, 1.1 gzip-1.3.5-cve-2006-4335.patch, NONE, 1.1 gzip-1.3.5-cve-2006-4336.patch, NONE, 1.1 gzip-1.3.5-cve-2006-4337.patch, NONE, 1.1 gzip-1.3.5-cve-2006-4338.patch, NONE, 1.1 gzip.spec, 1.26, 1.27
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Sep 20 10:52:36 UTC 2006
- Previous message (by thread): rpms/beagle/devel .cvsignore, 1.14, 1.15 beagle.spec, 1.79, 1.80 sources, 1.17, 1.18
- Next message (by thread): rpms/kdepim/devel kdepim-3.5.4-kde#134200.patch, NONE, 1.1 kdepim.spec, 1.105, 1.106
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: varekova
Update of /cvs/dist/rpms/gzip/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv1696
Modified Files:
gzip.spec
Added Files:
gzip-1.3.5-cve-2006-4334.patch gzip-1.3.5-cve-2006-4335.patch
gzip-1.3.5-cve-2006-4336.patch gzip-1.3.5-cve-2006-4337.patch
gzip-1.3.5-cve-2006-4338.patch
Log Message:
- fix bug 204676 (patches by Tavis Ormandy)
gzip-1.3.5-cve-2006-4334.patch:
inflate.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE gzip-1.3.5-cve-2006-4334.patch ---
--- gzip-1.3/inflate.c.4334 1999-10-06 07:01:41.000000000 +0200
+++ gzip-1.3/inflate.c 2006-09-06 15:08:32.000000000 +0200
@@ -315,7 +315,7 @@
{
*t = (struct huft *)NULL;
*m = 0;
- return 0;
+ return 2;
}
gzip-1.3.5-cve-2006-4335.patch:
unlzh.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletion(-)
--- NEW FILE gzip-1.3.5-cve-2006-4335.patch ---
--- gzip-1.3.3/unlzh.c.4335 1999-10-06 07:00:00.000000000 +0200
+++ gzip-1.3.3/unlzh.c 2006-09-07 09:41:41.000000000 +0200
@@ -149,7 +149,11 @@
unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
for (i = 1; i <= 16; i++) count[i] = 0;
- for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
+ for (i = 0; i < (unsigned)nchar; i++) {
+ if (bitlen[i] > 16)
+ error("Bad table (case a)\n");
+ else count[bitlen[i]]++;
+ }
start[1] = 0;
for (i = 1; i <= 16; i++)
gzip-1.3.5-cve-2006-4336.patch:
unpack.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE gzip-1.3.5-cve-2006-4336.patch ---
--- gzip-1.3.3/unpack.c.4336 1999-10-06 07:00:00.000000000 +0200
+++ gzip-1.3.3/unpack.c 2006-09-07 10:49:08.000000000 +0200
@@ -133,7 +133,7 @@
/* Remember where the literals of this length start in literal[] : */
lit_base[len] = base;
/* And read the literals: */
- for (n = leaves[len]; n > 0; n--) {
+ for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
literal[base++] = (uch)get_byte();
}
}
@@ -169,7 +169,7 @@
prefixp = &prefix_len[1<<peek_bits];
for (len = 1; len <= peek_bits; len++) {
int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
- while (prefixes--) *--prefixp = (uch)len;
+ while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
}
/* The length of all other codes is unknown: */
while (prefixp > prefix_len) *--prefixp = 0;
gzip-1.3.5-cve-2006-4337.patch:
gzip.h | 2 ++
unlzh.c | 24 ++++++++++++------------
unpack.c | 1 -
3 files changed, 14 insertions(+), 13 deletions(-)
--- NEW FILE gzip-1.3.5-cve-2006-4337.patch ---
--- gzip-1.3.3/unlzh.c.4337 2006-09-07 13:26:24.000000000 +0200
+++ gzip-1.3.3/unlzh.c 2006-09-07 13:26:50.000000000 +0200
@@ -158,8 +158,8 @@
start[1] = 0;
for (i = 1; i <= 16; i++)
start[i + 1] = start[i] + (count[i] << (16 - i));
- if ((start[17] & 0xffff) != 0)
- error("Bad table\n");
+ if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
+ error("Bad table (case b)\n");
jutbits = 16 - tablebits;
for (i = 1; i <= (unsigned)tablebits; i++) {
@@ -173,15 +173,15 @@
i = start[tablebits + 1] >> jutbits;
if (i != 0) {
- k = 1 << tablebits;
- while (i != k) table[i++] = 0;
+ k = MIN(1 << tablebits, DIST_BUFSIZE);
+ while (i < k) table[i++] = 0;
}
avail = nchar;
mask = (unsigned) 1 << (15 - tablebits);
for (ch = 0; ch < (unsigned)nchar; ch++) {
if ((len = bitlen[ch]) == 0) continue;
- nextcode = start[len] + weight[len];
+ nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
if (len <= (unsigned)tablebits) {
for (i = start[len]; i < nextcode; i++) table[i] = ch;
} else {
@@ -222,7 +222,7 @@
for (i = 0; i < 256; i++) pt_table[i] = c;
} else {
i = 0;
- while (i < n) {
+ while (i < MIN(n,NPT)) {
c = bitbuf >> (BITBUFSIZ - 3);
if (c == 7) {
mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
@@ -232,7 +232,7 @@
pt_len[i++] = c;
if (i == i_special) {
c = getbits(2);
- while (--c >= 0) pt_len[i++] = 0;
+ while (--c >= 0 && i < NPT) pt_len[i++] = 0;
}
}
while (i < nn) pt_len[i++] = 0;
@@ -252,7 +252,7 @@
for (i = 0; i < 4096; i++) c_table[i] = c;
} else {
i = 0;
- while (i < n) {
+ while (i < MIN(n,NC)) {
c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
if (c >= NT) {
mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
@@ -267,7 +267,7 @@
if (c == 0) c = 1;
else if (c == 1) c = getbits(4) + 3;
else c = getbits(CBIT) + 20;
- while (--c >= 0) c_len[i++] = 0;
+ while (--c >= 0 && i < NC) c_len[i++] = 0;
} else c_len[i++] = c - 2;
}
while (i < NC) c_len[i++] = 0;
@@ -360,7 +360,7 @@
while (--j >= 0) {
buffer[r] = buffer[i];
i = (i + 1) & (DICSIZ - 1);
- if (++r == count) return r;
+ if (++r >= count) return r;
}
for ( ; ; ) {
c = decode_c();
@@ -370,14 +370,14 @@
}
if (c <= UCHAR_MAX) {
buffer[r] = c;
- if (++r == count) return r;
+ if (++r >= count) return r;
} else {
j = c - (UCHAR_MAX + 1 - THRESHOLD);
i = (r - decode_p() - 1) & (DICSIZ - 1);
while (--j >= 0) {
buffer[r] = buffer[i];
i = (i + 1) & (DICSIZ - 1);
- if (++r == count) return r;
+ if (++r >= count) return r;
}
}
}
--- gzip-1.3.3/gzip.h.4337 2006-09-07 13:26:24.000000000 +0200
+++ gzip-1.3.3/gzip.h 2006-09-07 13:26:24.000000000 +0200
@@ -199,6 +199,8 @@
extern int to_stdout; /* output to stdout (-c) */
extern int save_orig_name; /* set if original name must be saved */
+#define MIN(a,b) ((a) <= (b) ? (a) : (b))
+
#define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
#define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
--- gzip-1.3.3/unpack.c.4337 2006-09-07 13:26:24.000000000 +0200
+++ gzip-1.3.3/unpack.c 2006-09-07 13:26:24.000000000 +0200
@@ -13,7 +13,6 @@
#include "gzip.h"
#include "crypt.h"
-#define MIN(a,b) ((a) <= (b) ? (a) : (b))
/* The arguments must not have side effects. */
#define MAX_BITLEN 25
gzip-1.3.5-cve-2006-4338.patch:
unlzh.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE gzip-1.3.5-cve-2006-4338.patch ---
--- gzip-1.3.3/unlzh.c.4338 2006-09-07 10:49:31.000000000 +0200
+++ gzip-1.3.3/unlzh.c 2006-09-07 11:37:53.000000000 +0200
@@ -260,7 +260,7 @@
if (bitbuf & mask) c = right[c];
else c = left [c];
mask >>= 1;
- } while (c >= NT);
+ } while (c >= NT && (mask || c != left[c]));
}
fillbuf((int) pt_len[c]);
if (c <= 2) {
@@ -296,7 +296,7 @@
if (bitbuf & mask) j = right[j];
else j = left [j];
mask >>= 1;
- } while (j >= NC);
+ } while (j >= NC && (mask || j != left[j]));
}
fillbuf((int) c_len[j]);
return j;
@@ -313,7 +313,7 @@
if (bitbuf & mask) j = right[j];
else j = left [j];
mask >>= 1;
- } while (j >= NP);
+ } while (j >= NP && (mask || j != left[j]));
}
fillbuf((int) pt_len[j]);
if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));
Index: gzip.spec
===================================================================
RCS file: /cvs/dist/rpms/gzip/devel/gzip.spec,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- gzip.spec 14 Jul 2006 20:20:17 -0000 1.26
+++ gzip.spec 20 Sep 2006 10:52:34 -0000 1.27
@@ -1,7 +1,7 @@
Summary: The GNU data compression program.
Name: gzip
Version: 1.3.5
-Release: 7
+Release: 8
License: GPL
Group: Applications/File
Source: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz
@@ -15,6 +15,11 @@
Patch8: gzip-1.3.5-zgrep-sed.patch
Patch9: gzip-1.3.5-gzip-perm.patch
Patch10: gzip-1.3.5-gunzip-dir.patch
+Patch11: gzip-1.3.5-cve-2006-4334.patch
+Patch12: gzip-1.3.5-cve-2006-4335.patch
+Patch13: gzip-1.3.5-cve-2006-4336.patch
+Patch14: gzip-1.3.5-cve-2006-4338.patch
+Patch15: gzip-1.3.5-cve-2006-4337.patch
URL: http://www.gzip.org/
Prereq: /sbin/install-info
Requires: mktemp less
@@ -40,6 +45,11 @@
%patch8 -p0 -b .sed
%patch9 -p1 -b .perm
%patch10 -p1 -b .dir
+%patch11 -p1 -b .4334
+%patch12 -p1 -b .4335
+%patch13 -p1 -b .4336
+%patch14 -p1 -b .4338
+%patch15 -p1 -b .4337
%build
export DEFS="NO_ASM"
@@ -85,6 +95,14 @@
%{_infodir}/gzip.info*
%changelog
+* Wed Sep 20 2006 Ivana Varekova <varekova at redhat.com> 1.3.5-8
+- fix bug 204676 (patches by Tavis Ormandy)
+ - cve-2006-4334 - null dereference problem
+ - cve-2006-4335 - buffer overflow problem
+ - cve-2006-4336 - buffer underflow problem
+ - cve-2006-4338 - infinite loop problem
+ - cve-2006-4337 - buffer overflow problem
+
* Fri Jul 14 2006 Karsten Hopp <karsten at redhat.de> 1.3.5-7
- buildrequire texinfo, otherwise gzip.info will be empty
- Previous message (by thread): rpms/beagle/devel .cvsignore, 1.14, 1.15 beagle.spec, 1.79, 1.80 sources, 1.17, 1.18
- Next message (by thread): rpms/kdepim/devel kdepim-3.5.4-kde#134200.patch, NONE, 1.1 kdepim.spec, 1.105, 1.106
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list