[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.009-gzip.txt

[Michael Schloh]

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Michael Schloh
  Root:   /v/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   10-Jun-2005 15:31:09
  Branch: HEAD                             Handle: 2005061014310900

  Modified files:
    openpkg-web/security    OpenPKG-SA-2005.009-gzip.txt

  Log:
    correct package name and formatting, and refer to 
OpenPKG-SA-2005.010-openpkg
    where the bootstrap package is treated for embedded gzip errors

  Summary:
    Revision    Changes     Path
    1.2         +22 -18     openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt
  ============================================================================
  $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2005.009-gzip.txt
  --- openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 12:32:22 
-0000      1.1
  +++ openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 13:31:09 
-0000      1.2
  @@ -24,22 +24,25 @@
     According to a Debian bug report [0], Ulf Harnhammar discovered
     an input validation error in the gzip data compressor [1]. Because
     gzip(1) fails to properly validate file paths during decompression
  -  with the '-N' argument, a remote attacker using a malicious archive
  +  with the "-N" argument, a remote attacker using a malicious archive
     could corrupt arbitrary files with the privileges of the user that
     is running gzip(1). The Common Vulnerabilities and Exposures (CVE)
     project assigned the identifier CAN-2005-1228 [2] to this problem.
   
  +  Because the openpkg bootstrap package embeds gzip, it may be affected
  +  as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [3].
  +
     Please check whether you are affected by running "<prefix>/bin/openpkg
  -  rpm -q bzip2". If you have the "bzip2" package installed and its
  +  rpm -q gzip". If you have the "gzip" package installed and its
     version is affected (see above), we recommend that you immediately
  -  upgrade it (see Solution) and any dependent packages as well [3][4].
  +  upgrade it (see Solution) and any dependent packages as well [4][5].
   
   Solution:
     Select the updated source RPM appropriate for your OpenPKG release
  -  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  -  location, verify its integrity [9], build a corresponding binary
  -  RPM from it [3] and update your OpenPKG installation by applying the
  -  binary RPM [4]. For the most recent release OpenPKG 2.3, perform the
  +  [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror
  +  location, verify its integrity [10], build a corresponding binary
  +  RPM from it [4] and update your OpenPKG installation by applying the
  +  binary RPM [5]. For the most recent release OpenPKG 2.3, perform the
     following operations to permanently fix the security problem (for
     other releases adjust accordingly).
   
  @@ -54,21 +57,22 @@
     # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/gzip-1.3.5-2.3.1.*.rpm
   
     We recommend that you rebuild and reinstall any dependent packages
  -  (see above) as well [3][4]. The openpkg build tool can be instrumental
  +  (see above) as well [4][5]. The openpkg build tool can be instrumental
     in consistently updating and securing the entire OpenPKG instance.
   ________________________________________________________________________
   
   References:
  -  [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255
  -  [1] http://www.gzip.org/
  -  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228
  -  [3] http://www.openpkg.org/tutorial.html#regular-source
  -  [4] http://www.openpkg.org/tutorial.html#regular-binary
  -  [5] ftp://ftp.openpkg.org/release/2.3/UPD/gzip-1.3.5-2.3.1.src.rpm
  -  [6] ftp://ftp.openpkg.org/release/2.2/UPD/gzip-1.3.5-2.2.1.src.rpm
  -  [7] ftp://ftp.openpkg.org/release/2.3/UPD/
  -  [8] ftp://ftp.openpkg.org/release/2.2/UPD/
  -  [9] http://www.openpkg.org/security.html#signature
  +  [0]  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255
  +  [1]  http://www.gzip.org/
  +  [2]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228
  +  [3]  http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html
  +  [4]  http://www.openpkg.org/tutorial.html#regular-source
  +  [5]  http://www.openpkg.org/tutorial.html#regular-binary
  +  [6]  ftp://ftp.openpkg.org/release/2.3/UPD/gzip-1.3.5-2.3.1.src.rpm
  +  [7]  ftp://ftp.openpkg.org/release/2.2/UPD/gzip-1.3.5-2.2.1.src.rpm
  +  [8]  ftp://ftp.openpkg.org/release/2.3/UPD/
  +  [9]  ftp://ftp.openpkg.org/release/2.2/UPD/
  +  [10] http://www.openpkg.org/security.html#signature
   ________________________________________________________________________
   
   For security reasons, this advisory was digitally signed with the
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     openpkg-cvs@openpkg.org