From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 09 02:47:14 2018 Received: (at submit) by debbugs.gnu.org; 9 Jan 2018 07:47:14 +0000 Received: from localhost ([127.0.0.1]:42027 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eYocr-0006hL-Bz for submit@debbugs.gnu.org; Tue, 09 Jan 2018 02:47:13 -0500 Received: from eggs.gnu.org ([208.118.235.92]:38979) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eYnv8-0005er-Vr for submit@debbugs.gnu.org; Tue, 09 Jan 2018 02:02:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eYnv2-0007xw-QS for submit@debbugs.gnu.org; Tue, 09 Jan 2018 02:01:57 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,FREEMAIL_FROM, HTML_MESSAGE,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:45238) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eYnv2-0007xr-N0 for submit@debbugs.gnu.org; Tue, 09 Jan 2018 02:01:56 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58180) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eYnv1-0001nu-G4 for bug-gzip@gnu.org; Tue, 09 Jan 2018 02:01:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eYnuv-0007uJ-T8 for bug-gzip@gnu.org; Tue, 09 Jan 2018 02:01:55 -0500 Received: from mail-ot0-x230.google.com ([2607:f8b0:4003:c0f::230]:37326) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eYnuv-0007u2-NU for bug-gzip@gnu.org; Tue, 09 Jan 2018 02:01:49 -0500 Received: by mail-ot0-x230.google.com with SMTP id p31so10552741ota.4 for ; Mon, 08 Jan 2018 23:01:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=hTu6KSQGzeC1/H8bIZ3aoq4jOaqueJ2ouaQ1Fzr6img=; b=p3h4Cdhe0kDIEzA2KpuhFdwDzWGVfIAymmFnDOqEt4JONnwqKO/XeNQOpaDdtSGLEC aoNu94QN5vp94JlaLT+vZNqQzRHvhpKd0qDHG8GDoxEh5L5fHD2y9y1WbGjtfqQIPw/t BjpTn2AZRcx+qOX+SnVDf71efUslbSZM/4NVpEQ5cv0QaODscUCweaX7PwqowKE7AWLm v+uRE57N667ApXkPVsYzqHSZs2GaC7sF3Tiq9bi/k1iUnA/tBQb6OTg39C7F+ULlk7sg A3nK1LB/oVIdqfzecsGbvWOXBTDuZVwP0Xxwu9gKiE/mhFnVS/xM7fKO38kL2U4u9k5T cJow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=hTu6KSQGzeC1/H8bIZ3aoq4jOaqueJ2ouaQ1Fzr6img=; b=iXsVk6gilelyaH0mOPYukOfNeRDxcUZMq+9sd3vONINAPSX/PJo7ozHuW+8ndo8KWW vrtQ3S/UDZpSkiciLACmvUlxRajRzuxhimpjqBGD6GKCoZS5u9SgTTXAJDN63JaiO7Qp 3Rl9FHUnnICWKqV7HDiDpkYluOb0cfTbDpCyGvEb/hdfH1wCF5mrXnaKCyV1gmM/aIP/ oqHs3evw86AkmIqfDDX/RuXWClzBbPPVv+jE5N1InrNA1h9m0H3IS3nloJ15ymHZ0U2K Ga1CcMcxBKCuwIujpnEYcTdvEkMZMoySKkcmTQBLzeqUukc+aonwe3mLpCMynJHqA5J6 URJQ== X-Gm-Message-State: AKwxytc7FThhdrVM04J1riF+j51DptzG5MLjjuNlvWXEL4FYxazdyLLf BhtLVCJ3fii+PpKl52e5t530Xy3Msf4eQ1d2QFTsnw== X-Google-Smtp-Source: ACJfBouRPrztFFDFPZoJ8pQ5+NNXCyB99sUDqekUW3cteCTzn5pfNvgk+rJvlX554Fed6/oBuG5cWXIJwQhe5K6IdhY= X-Received: by 10.157.24.79 with SMTP id t15mr669463ott.258.1515481308198; Mon, 08 Jan 2018 23:01:48 -0800 (PST) MIME-Version: 1.0 From: =?UTF-8?Q?Stig=2D=C3=98rjan_Smelror?= Date: Tue, 09 Jan 2018 07:01:36 +0000 Message-ID: Subject: Mageia patching gzip with old CVE's To: bug-gzip@gnu.org Content-Type: multipart/alternative; boundary="001a1141568c09fcdd0562527d61" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Tue, 09 Jan 2018 02:47:12 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) --001a1141568c09fcdd0562527d61 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi everyone. I'm a packager padawan with Mageia and started working on packaging gzip-1.9 yesterday. When looking through the list of patches for gzip, I noticed quite a few CVE's lingering there and then looking through the code it "seemed to me" that these CVE's are not included. Then I thought, perhaps they've managed to fix these in other ways, but since I'm no programmer and not really sure, I wanted to ask you. Can you please take a look at the patches Mageia uses and let me know if they are necessary or needs to be rebased for gzip-1.9? http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/ Thanks in advance. Cheers, Stig-=C3=98rjan Smelror --001a1141568c09fcdd0562527d61 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi everyone.

I'm a packager padawan with Mageia and started working on packaging = gzip-1.9 yesterday.

When looking through the list of patches f= or gzip, I noticed quite a few CVE's lingering there and then looking t= hrough the code it "seemed to me" that these CVE's are not in= cluded.

Then I thought, perhaps they've managed to fix the= se in other ways, but since I'm no programmer and not really sure, I wa= nted to ask you.

Can you please take a look at the patches Mag= eia uses and let me know if they are necessary or needs to be rebased for g= zip-1.9?
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURC= ES/

Thanks in advance.

Cheers,
Stig-= =C3=98rjan Smelror
--001a1141568c09fcdd0562527d61-- From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 11 00:17:33 2018 Received: (at 30040-done) by debbugs.gnu.org; 11 Jan 2018 05:17:33 +0000 Received: from localhost ([127.0.0.1]:51627 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZVF7-0007Fz-2m for submit@debbugs.gnu.org; Thu, 11 Jan 2018 00:17:33 -0500 Received: from mail-qt0-f182.google.com ([209.85.216.182]:43554) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZVF5-0007Fn-CT for 30040-done@debbugs.gnu.org; Thu, 11 Jan 2018 00:17:31 -0500 Received: by mail-qt0-f182.google.com with SMTP id s3so455283qtb.10 for <30040-done@debbugs.gnu.org>; Wed, 10 Jan 2018 21:17:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=wlDRAampMqLG9ph9c3vup/J26Jz1WPGjVkz/atwfdt4=; b=aPTXVXrCNf3ZH06jwa93Sm1OfRE6NzFHbleiaVi9yd32iLIY4920fZFkejIicKPeT9 6mfHuJt+XhgSPCat4+7LiFBrqNXwvKTzQrTtI8KCjneKKaRJFLmqK9rynM/jJdi1+db6 fjOSIzEVZSLuJ4EwBAMTPv/TQxRbK7X/id8aDPJ6+Rp4sIa3xxZu7ul4d1XGXqPHZeul x/oCaSN9rFN8JxHPDB4MWBE/ZXPoLuDguvd4Bd4B9r4idsSFAniAiX/jf43tqSOoOXc+ xusioCL/w+ThOHKvUStraRjqKSK01/MtyC95ORzjV6otkp7b3XduEXD5aM17Z1DozkeV 5XHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=wlDRAampMqLG9ph9c3vup/J26Jz1WPGjVkz/atwfdt4=; b=tfFG1TQ9f5Bmqu1CA1WUivFx6tolQuIRjSN2n6aLs5sZeOpue3JYRMSEJIkYWosisc xrvjBc3kuo+8boP6QI1qNNl5Itwq0JgK6YfJ1nG3b0gRXyehnB3s5phKz0nymRSiUiiv 8+P9yui9E6x7CVcbMATDmqRVTC84vUWvup1HERKfpEmPqJoZvaLwp4ci/qLuJ3iyCehf L5GAAIeh1VOjdUGw3InIfz8LIBc5MBohYWVVzhlvPTkob1pw1pDSbuJdrlngWEfXmDzp DgByqmfPRMbU1Gxi4c7qQnNC964FJLvCFoNy6mxrnHKE0Z7L25hdRj8N00ZcZxWu++tZ okjw== X-Gm-Message-State: AKwxyteXtLscD1bKHga42TUfkNr7bIQvOCZ7yhQ0IWWu3cg5POeYF5DI 9vo2ZDA7h7suL75CZq20zu4y58dCRpPySzZXB6o= X-Google-Smtp-Source: ACJfBotV9/4IU8JW3PahrPlCcQJCVJ43npbNgpsiqm3L1mCfU/vlbECqrVtvRSBq+W2lX43hnlfkBXM4mgpvFEMd4/E= X-Received: by 10.200.36.221 with SMTP id t29mr29660730qtt.141.1515647845837; Wed, 10 Jan 2018 21:17:25 -0800 (PST) MIME-Version: 1.0 Received: by 10.55.164.10 with HTTP; Wed, 10 Jan 2018 21:17:05 -0800 (PST) In-Reply-To: References: From: Jim Meyering Date: Wed, 10 Jan 2018 21:17:05 -0800 X-Google-Sender-Auth: iN9alOMr4XcEtD4TVKUnL6kxLY8 Message-ID: Subject: Re: bug#30040: Mageia patching gzip with old CVE's To: =?UTF-8?Q?Stig=2D=C3=98rjan_Smelror?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.2 (/) X-Debbugs-Envelope-To: 30040-done Cc: 30040-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) On Mon, Jan 8, 2018 at 11:01 PM, Stig-=C3=98rjan Smelror wrote: > Hi everyone. > > I'm a packager padawan with Mageia and started working on packaging > gzip-1.9 yesterday. > > When looking through the list of patches for gzip, I noticed quite a few > CVE's lingering there and then looking through the code it "seemed to me" > that these CVE's are not included. > > Then I thought, perhaps they've managed to fix these in other ways, but > since I'm no programmer and not really sure, I wanted to ask you. > > Can you please take a look at the patches Mageia uses and let me know if > they are necessary or needs to be rebased for gzip-1.9? > http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/ The CVE-2006-???? bugs were all fixed in upstream commit 03167e0cea52f915ea63566a76d76e68659542e8. There is nothing of significance in the gzip-1.5-CVE-2009-2624-1.diff patch= . Thus, you may safely remove those .diff files. Also, the zforce-related patch does this, which looks wrong: - if gzip -lv < "$i" 2>/dev/null | grep '^defl' > /dev/null; then + if gzip -l < "$i" 2>/dev/null | grep '^compressed' > /dev/null; then since that beginning-of-line-anchored regexp will never match gzip's -l out= put: $ :|gzip|gzip -l compressed uncompressed ratio uncompressed_name -1 -1 0.0% stdout I suggest you remove that patch, too. Finally, gzip-1.3.3-window-size.patch does this to gzip.c: -DECLARE(uch, window, 2L*WSIZE); +DECLARE(uch, window, 2L*WSIZE + 4096); Considering it was relative to 1.3.3, which is from over 15 years ago, I suggest you discard it, too. I'm marking this ticket as "done", but feel free to reply: any replies still go to the list and the bug database. From unknown Mon Jun 23 04:15:28 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 08 Feb 2018 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator