GNU bug report logs - #30040
Mageia patching gzip with old CVE's

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Stig-Ørjan Smelror <smelror <at> gmail.com>
Subject: bug#30040: closed (Re: bug#30040: Mageia patching gzip with old
 CVE's)
Date: Thu, 11 Jan 2018 05:18:03 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#30040: Mageia patching gzip with old CVE's

which was filed against the gzip package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 30040 <at> debbugs.gnu.org.

-- 
30040: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=30040
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Jim Meyering <jim <at> meyering.net>
To: Stig-Ørjan Smelror <smelror <at> gmail.com>
Cc: 30040-done <at> debbugs.gnu.org
Subject: Re: bug#30040: Mageia patching gzip with old CVE's
Date: Wed, 10 Jan 2018 21:17:05 -0800

On Mon, Jan 8, 2018 at 11:01 PM, Stig-Ørjan Smelror <smelror <at> gmail.com> wrote:
> Hi everyone.
>
> I'm a packager padawan with Mageia and started working on packaging
> gzip-1.9 yesterday.
>
> When looking through the list of patches for gzip, I noticed quite a few
> CVE's lingering there and then looking through the code it "seemed to me"
> that these CVE's are not included.
>
> Then I thought, perhaps they've managed to fix these in other ways, but
> since I'm no programmer and not really sure, I wanted to ask you.
>
> Can you please take a look at the patches Mageia uses and let me know if
> they are necessary or needs to be rebased for gzip-1.9?
> http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/

The CVE-2006-???? bugs were all fixed in upstream commit
03167e0cea52f915ea63566a76d76e68659542e8.
There is nothing of significance in the gzip-1.5-CVE-2009-2624-1.diff patch.
Thus, you may safely remove those .diff files.

Also, the zforce-related patch does this, which looks wrong:

- if gzip -lv < "$i" 2>/dev/null | grep '^defl' > /dev/null; then
+ if gzip -l < "$i" 2>/dev/null | grep '^compressed' > /dev/null; then

since that beginning-of-line-anchored regexp will never match gzip's -l output:

$ :|gzip|gzip -l
         compressed        uncompressed  ratio uncompressed_name
                 -1                  -1   0.0% stdout

I suggest you remove that patch, too.

Finally, gzip-1.3.3-window-size.patch does this to gzip.c:

-DECLARE(uch, window, 2L*WSIZE);
+DECLARE(uch, window, 2L*WSIZE + 4096);

Considering it was relative to 1.3.3, which is from over 15 years ago,
I suggest you discard it, too.

I'm marking this ticket as "done", but feel free to reply: any replies
still go to the list and the bug database.

[Message part 3 (message/rfc822, inline)]

From: Stig-Ørjan Smelror <smelror <at> gmail.com>
To: bug-gzip <at> gnu.org
Subject: Mageia patching gzip with old CVE's
Date: Tue, 09 Jan 2018 07:01:36 +0000

[Message part 4 (text/plain, inline)]

Hi everyone.

I'm a packager padawan with Mageia and started working on packaging
gzip-1.9 yesterday.

When looking through the list of patches for gzip, I noticed quite a few
CVE's lingering there and then looking through the code it "seemed to me"
that these CVE's are not included.

Then I thought, perhaps they've managed to fix these in other ways, but
since I'm no programmer and not really sure, I wanted to ask you.

Can you please take a look at the patches Mageia uses and let me know if
they are necessary or needs to be rebased for gzip-1.9?
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/

Thanks in advance.

Cheers,
Stig-Ørjan Smelror

[Message part 5 (text/html, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.