GNU bug report logs -
#30040
Mageia patching gzip with old CVE's
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30040 in the body.
You can then email your comments to 30040 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gzip <at> gnu.org:
bug#30040; Package
gzip.
(Tue, 09 Jan 2018 07:48:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Stig-Ørjan Smelror <smelror <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-gzip <at> gnu.org.
(Tue, 09 Jan 2018 07:48:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi everyone.
I'm a packager padawan with Mageia and started working on packaging
gzip-1.9 yesterday.
When looking through the list of patches for gzip, I noticed quite a few
CVE's lingering there and then looking through the code it "seemed to me"
that these CVE's are not included.
Then I thought, perhaps they've managed to fix these in other ways, but
since I'm no programmer and not really sure, I wanted to ask you.
Can you please take a look at the patches Mageia uses and let me know if
they are necessary or needs to be rebased for gzip-1.9?
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/
Thanks in advance.
Cheers,
Stig-Ørjan Smelror
[Message part 2 (text/html, inline)]
Reply sent
to
Jim Meyering <jim <at> meyering.net>:
You have taken responsibility.
(Thu, 11 Jan 2018 05:18:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Stig-Ørjan Smelror <smelror <at> gmail.com>:
bug acknowledged by developer.
(Thu, 11 Jan 2018 05:18:03 GMT)
Full text and
rfc822 format available.
Message #10 received at 30040-done <at> debbugs.gnu.org (full text, mbox):
On Mon, Jan 8, 2018 at 11:01 PM, Stig-Ørjan Smelror <smelror <at> gmail.com> wrote:
> Hi everyone.
>
> I'm a packager padawan with Mageia and started working on packaging
> gzip-1.9 yesterday.
>
> When looking through the list of patches for gzip, I noticed quite a few
> CVE's lingering there and then looking through the code it "seemed to me"
> that these CVE's are not included.
>
> Then I thought, perhaps they've managed to fix these in other ways, but
> since I'm no programmer and not really sure, I wanted to ask you.
>
> Can you please take a look at the patches Mageia uses and let me know if
> they are necessary or needs to be rebased for gzip-1.9?
> http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/
The CVE-2006-???? bugs were all fixed in upstream commit
03167e0cea52f915ea63566a76d76e68659542e8.
There is nothing of significance in the gzip-1.5-CVE-2009-2624-1.diff patch.
Thus, you may safely remove those .diff files.
Also, the zforce-related patch does this, which looks wrong:
- if gzip -lv < "$i" 2>/dev/null | grep '^defl' > /dev/null; then
+ if gzip -l < "$i" 2>/dev/null | grep '^compressed' > /dev/null; then
since that beginning-of-line-anchored regexp will never match gzip's -l output:
$ :|gzip|gzip -l
compressed uncompressed ratio uncompressed_name
-1 -1 0.0% stdout
I suggest you remove that patch, too.
Finally, gzip-1.3.3-window-size.patch does this to gzip.c:
-DECLARE(uch, window, 2L*WSIZE);
+DECLARE(uch, window, 2L*WSIZE + 4096);
Considering it was relative to 1.3.3, which is from over 15 years ago,
I suggest you discard it, too.
I'm marking this ticket as "done", but feel free to reply: any replies
still go to the list and the bug database.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 08 Feb 2018 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 136 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.