GNU bug report logs - #30040
Mageia patching gzip with old CVE's

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Jim Meyering <jim <at> meyering.net>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#30040: closed (Mageia patching gzip with old CVE's)
Date: Thu, 11 Jan 2018 05:18:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Wed, 10 Jan 2018 21:17:05 -0800
with message-id <CA+8g5KHieNmwW-wR5MBqHC6FxmT0-xAW_=RYh-j2nZgAHtwW1A <at> mail.gmail.com>
and subject line Re: bug#30040: Mageia patching gzip with old CVE's
has caused the debbugs.gnu.org bug report #30040,
regarding Mageia patching gzip with old CVE's
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
30040: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=30040
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Stig-Ørjan Smelror <smelror <at> gmail.com>
To: bug-gzip <at> gnu.org
Subject: Mageia patching gzip with old CVE's
Date: Tue, 09 Jan 2018 07:01:36 +0000

[Message part 3 (text/plain, inline)]

Hi everyone.

I'm a packager padawan with Mageia and started working on packaging
gzip-1.9 yesterday.

When looking through the list of patches for gzip, I noticed quite a few
CVE's lingering there and then looking through the code it "seemed to me"
that these CVE's are not included.

Then I thought, perhaps they've managed to fix these in other ways, but
since I'm no programmer and not really sure, I wanted to ask you.

Can you please take a look at the patches Mageia uses and let me know if
they are necessary or needs to be rebased for gzip-1.9?
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/

Thanks in advance.

Cheers,
Stig-Ørjan Smelror

[Message part 4 (text/html, inline)]

[Message part 5 (message/rfc822, inline)]

From: Jim Meyering <jim <at> meyering.net>
To: Stig-Ørjan Smelror <smelror <at> gmail.com>
Cc: 30040-done <at> debbugs.gnu.org
Subject: Re: bug#30040: Mageia patching gzip with old CVE's
Date: Wed, 10 Jan 2018 21:17:05 -0800

On Mon, Jan 8, 2018 at 11:01 PM, Stig-Ørjan Smelror <smelror <at> gmail.com> wrote:
> Hi everyone.
>
> I'm a packager padawan with Mageia and started working on packaging
> gzip-1.9 yesterday.
>
> When looking through the list of patches for gzip, I noticed quite a few
> CVE's lingering there and then looking through the code it "seemed to me"
> that these CVE's are not included.
>
> Then I thought, perhaps they've managed to fix these in other ways, but
> since I'm no programmer and not really sure, I wanted to ask you.
>
> Can you please take a look at the patches Mageia uses and let me know if
> they are necessary or needs to be rebased for gzip-1.9?
> http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/

The CVE-2006-???? bugs were all fixed in upstream commit
03167e0cea52f915ea63566a76d76e68659542e8.
There is nothing of significance in the gzip-1.5-CVE-2009-2624-1.diff patch.
Thus, you may safely remove those .diff files.

Also, the zforce-related patch does this, which looks wrong:

- if gzip -lv < "$i" 2>/dev/null | grep '^defl' > /dev/null; then
+ if gzip -l < "$i" 2>/dev/null | grep '^compressed' > /dev/null; then

since that beginning-of-line-anchored regexp will never match gzip's -l output:

$ :|gzip|gzip -l
         compressed        uncompressed  ratio uncompressed_name
                 -1                  -1   0.0% stdout

I suggest you remove that patch, too.

Finally, gzip-1.3.3-window-size.patch does this to gzip.c:

-DECLARE(uch, window, 2L*WSIZE);
+DECLARE(uch, window, 2L*WSIZE + 4096);

Considering it was relative to 1.3.3, which is from over 15 years ago,
I suggest you discard it, too.

I'm marking this ticket as "done", but feel free to reply: any replies
still go to the list and the bug database.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.