lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <E1NXfkf-0008JV-7B@titan.mandriva.com>
Date: Wed, 20 Jan 2010 19:58:01 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:020 ] gzip


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:020
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : gzip
 Date    : January 20, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in gzip:
 
 A missing input sanitation flaw was found in the way gzip used to
 decompress data blocks for dynamic Huffman codes. A remote attacker
 could provide a specially-crafted gzip compressed data archive,
 which once opened by a local, unsuspecting user would lead to denial
 of service (gzip crash) or, potentially, to arbitrary code execution
 with the privileges of the user running gzip (CVE-2009-2624).
 
 An integer underflow leading to array index error was found in the
 way gzip used to decompress files / archives, compressed with the
 Lempel-Ziv-Welch (LZW) compression algorithm. A remote attacker could
 provide a specially-crafted LZW compressed gzip archive, which once
 decompressed by a local, unsuspecting user would lead to gzip crash,
 or, potentially to arbitrary code execution with the privileges of
 the user running gzip (CVE-2010-0001).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2624
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0001
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 dabd4f2eee5fe024b8abff6f95283fde  2008.0/i586/gzip-1.3.12-1.1mdv2008.0.i586.rpm 
 44e7e075b21c4469af04c156b3143c83  2008.0/SRPMS/gzip-1.3.12-1.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 492ff118f07d7d4ea7519858fbb39634  2008.0/x86_64/gzip-1.3.12-1.1mdv2008.0.x86_64.rpm 
 44e7e075b21c4469af04c156b3143c83  2008.0/SRPMS/gzip-1.3.12-1.1mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 2316dabaf600d2c3f2a2becd7b625bd9  2009.0/i586/gzip-1.3.12-3.1mdv2009.0.i586.rpm 
 3b13642c05f503ac5eeb3b48e72a7248  2009.0/SRPMS/gzip-1.3.12-3.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 d69acf358db53d589413529f4a2e11ef  2009.0/x86_64/gzip-1.3.12-3.1mdv2009.0.x86_64.rpm 
 3b13642c05f503ac5eeb3b48e72a7248  2009.0/SRPMS/gzip-1.3.12-3.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 118331d407ba6374babb123e42d27c6c  2009.1/i586/gzip-1.3.12-4.1mdv2009.1.i586.rpm 
 90296b7d943c1bab1059c672755c7a2c  2009.1/SRPMS/gzip-1.3.12-4.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 eb2c1700b911e636e337e79abe29492a  2009.1/x86_64/gzip-1.3.12-4.1mdv2009.1.x86_64.rpm 
 90296b7d943c1bab1059c672755c7a2c  2009.1/SRPMS/gzip-1.3.12-4.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 79785f802e7b2f20135620402df74049  2010.0/i586/gzip-1.3.12-5.1mdv2010.0.i586.rpm 
 b99ae7c0775bb9211358510a82ae937a  2010.0/SRPMS/gzip-1.3.12-5.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 e003e931a59003585d2600a1f8d375af  2010.0/x86_64/gzip-1.3.12-5.1mdv2010.0.x86_64.rpm 
 b99ae7c0775bb9211358510a82ae937a  2010.0/SRPMS/gzip-1.3.12-5.1mdv2010.0.src.rpm

 Mandriva Enterprise Server 5:
 2d6036ae10a136c5c41f392fb06b5e45  mes5/i586/gzip-1.3.12-3.1mdvmes5.i586.rpm 
 1feef136de6074266b2f555795bdd0d8  mes5/SRPMS/gzip-1.3.12-3.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 48a5404ebcc58e4de6a134ea5ee62113  mes5/x86_64/gzip-1.3.12-3.1mdvmes5.x86_64.rpm 
 1feef136de6074266b2f555795bdd0d8  mes5/SRPMS/gzip-1.3.12-3.1mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLVz7OmqjQ0CJFipgRAo++AJ0VcK+UFrVtJLCkyZSeYoh8ok8APQCePYJf
COmPsWilcFGzmoEh6TC/qEQ=
=tUU5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ