Ken Moffat wrote:
Thanks, Matt. But the first vulnerability is apparently only in 1.3.3 and earlier (unless CVE are mistaken). The patch applies, and doesn't seem to deal with directory traversal, so I guess it's only CAN-2005-1228 that we should be concerned about.
Well, please don't shoot the messenger :)
All I did was download
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.diff.gz and http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.1.diff.gz. I applied one patch to one clean untarred copy of gzip-1.3.5 and the other patch to a separate copy of gzip-1.3.5. I then did a `diff' on the two trees and the patch I posted was the result of that. Having said that, the second hunk is the only thing that looks remotely like it could deal with the traversal vulnerability. As for the accuracy or otherwise of CVE's information, I'm not at all qualified to say :)
Best regards,
Matt. -- http://linuxfromscratch.org/mailman/listinfo/lfs-security FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
