Date: Thu, 17 Jan 2002 17:45:18 +0900 (JST) From: Koga Youichirou <y-koga@jp.FreeBSD.org> To: freebsd-security@FreeBSD.ORG Subject: gzip Message-ID: <20020117.174518.102811786.y-koga@jp.FreeBSD.org> In-Reply-To: <20011011.160941.74753041.y-koga@jp.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Debian announced gzip buffer overflow vuln: http://www.debian.org/security/2002/dsa-100 Debian's patch: http://security.debian.org/dists/stable/updates/main/source/gzip_1.2.4-33.1.diff.gz And the official patch has been released: http://www.gzip.org/gzip-1.2.4b.patch I know that FreeBSD's gzip has already fixed this problem in 1997, however Debian's patch includes other important fixes. I think that FreeBSD's zdiff and znew are also vulnerable. zdiff: F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'` gzip -cdfq "$2" > /tmp/"$F".$$ znew: tmp=/tmp/zfoo.$$ echo hi > $tmp.1 echo hi > $tmp.2 too horrible ;) -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020117.174518.102811786.y-koga>