Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 216461 Details for
Bug 300943
<app-arch/gzip-1.4, <app-arch/ncompress-4.2.4.3, <dev-libs/liblzw-0.2: Multiple vulnerabilities (CVE-2009-2624,CVE-2010-0001)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
gzip-CVE-2010-0001.patch
gzip-CVE-2010-0001.patch (text/plain), 2.05 KB, created by
Alex Legler (RETIRED)
on 2010-01-14 07:30:49 UTC
(
hide
)
Description:
gzip-CVE-2010-0001.patch
Filename:
MIME Type:
Creator:
Alex Legler (RETIRED)
Created:
2010-01-14 07:30:49 UTC
Size:
2.05 KB
patch
obsolete
>Patch for gzip integer overflow (CVE-2010-0001) >Rediffed from upstream patch (commits 844994b00b and e9368c1189) > >diff -Naru a/Makefile.am b/Makefile.am >--- a/Makefile.am 2009-10-30 19:38:55.000000000 +0100 >+++ b/Makefile.am 2010-01-14 08:12:32.846290866 +0100 >@@ -102,6 +102,7 @@ > @echo 'Test succeeded.' > > TESTS = \ >+ tests/helin-segv \ > tests/trailing-nul \ > tests/zdiff \ > tests/zgrep-f >diff -Naru a/tests/helin-segv b/tests/helin-segv >--- a/tests/helin-segv 1970-01-01 01:00:00.000000000 +0100 >+++ b/tests/helin-segv 2010-01-14 08:13:25.230298339 +0100 >@@ -0,0 +1,37 @@ >+#!/bin/sh >+# Before gzip-1.4, gzip -d would segfault on some inputs. >+ >+# Copyright (C) 2010 Free Software Foundation, Inc. >+ >+# This program is free software: you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation, either version 3 of the License, or >+# (at your option) any later version. >+ >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+ >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# limit so don't run it by default. >+ >+if test "$VERBOSE" = yes; then >+ set -x >+ gzip --version >+fi >+ >+: ${srcdir=.} >+. "$srcdir/tests/init.sh"; path_prepend_ . >+ >+# This test case was provided by Aki Helin. >+printf '\037\235\220\0\0\0\304' > helin.gz || framework_failure >+printf '\0\0' > exp || framework_failure >+ >+fail=0 >+ >+gzip -dc helin.gz > out || fail=1 >+compare out exp || fail=1 >+ >+Exit $fail >diff -Naru a/unlzw.c b/unlzw.c >--- a/unlzw.c 2009-09-26 20:20:40.000000000 +0200 >+++ b/unlzw.c 2010-01-14 08:16:49.390292054 +0100 >@@ -244,7 +244,8 @@ > int o; > > resetbuf: >- e = insize-(o = (posbits>>3)); >+ o = posbits >> 3; >+ e = o <= insize ? insize - o : 0; > > for (i = 0 ; i < e ; ++i) { > inbuf[i] = inbuf[i+o];
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=216461">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 300943
: 216461
