Mandriva Linux Security Advisory 2010-020 - A missing input sanitation flaw was found in the way gzip used to decompress data blocks for dynamic Huffman codes. A remote attacker could provide a specially-crafted gzip compressed data archive, which once opened by a local, unsuspecting user would lead to denial of service (gzip crash) or, potentially, to arbitrary code execution with the privileges of the user running gzip. An integer underflow leading to array index error was found in the way gzip used to decompress files / archives, compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. A remote attacker could provide a specially-crafted LZW compressed gzip archive, which once decompressed by a local, unsuspecting user would lead to gzip crash, or, potentially to arbitrary code execution with the privileges of the user running gzip. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct these issues.
7980610906396d3404f249abea3a118e88d040bb5af629574f6c48ec40499772
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:020
http://www.mandriva.com/security/
_______________________________________________________________________
Package : gzip
Date : January 20, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in gzip:
A missing input sanitation flaw was found in the way gzip used to
decompress data blocks for dynamic Huffman codes. A remote attacker
could provide a specially-crafted gzip compressed data archive,
which once opened by a local, unsuspecting user would lead to denial
of service (gzip crash) or, potentially, to arbitrary code execution
with the privileges of the user running gzip (CVE-2009-2624).
An integer underflow leading to array index error was found in the
way gzip used to decompress files / archives, compressed with the
Lempel-Ziv-Welch (LZW) compression algorithm. A remote attacker could
provide a specially-crafted LZW compressed gzip archive, which once
decompressed by a local, unsuspecting user would lead to gzip crash,
or, potentially to arbitrary code execution with the privileges of
the user running gzip (CVE-2010-0001).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0001
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
dabd4f2eee5fe024b8abff6f95283fde 2008.0/i586/gzip-1.3.12-1.1mdv2008.0.i586.rpm
44e7e075b21c4469af04c156b3143c83 2008.0/SRPMS/gzip-1.3.12-1.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
492ff118f07d7d4ea7519858fbb39634 2008.0/x86_64/gzip-1.3.12-1.1mdv2008.0.x86_64.rpm
44e7e075b21c4469af04c156b3143c83 2008.0/SRPMS/gzip-1.3.12-1.1mdv2008.0.src.rpm
Mandriva Linux 2009.0:
2316dabaf600d2c3f2a2becd7b625bd9 2009.0/i586/gzip-1.3.12-3.1mdv2009.0.i586.rpm
3b13642c05f503ac5eeb3b48e72a7248 2009.0/SRPMS/gzip-1.3.12-3.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
d69acf358db53d589413529f4a2e11ef 2009.0/x86_64/gzip-1.3.12-3.1mdv2009.0.x86_64.rpm
3b13642c05f503ac5eeb3b48e72a7248 2009.0/SRPMS/gzip-1.3.12-3.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
118331d407ba6374babb123e42d27c6c 2009.1/i586/gzip-1.3.12-4.1mdv2009.1.i586.rpm
90296b7d943c1bab1059c672755c7a2c 2009.1/SRPMS/gzip-1.3.12-4.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
eb2c1700b911e636e337e79abe29492a 2009.1/x86_64/gzip-1.3.12-4.1mdv2009.1.x86_64.rpm
90296b7d943c1bab1059c672755c7a2c 2009.1/SRPMS/gzip-1.3.12-4.1mdv2009.1.src.rpm
Mandriva Linux 2010.0:
79785f802e7b2f20135620402df74049 2010.0/i586/gzip-1.3.12-5.1mdv2010.0.i586.rpm
b99ae7c0775bb9211358510a82ae937a 2010.0/SRPMS/gzip-1.3.12-5.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
e003e931a59003585d2600a1f8d375af 2010.0/x86_64/gzip-1.3.12-5.1mdv2010.0.x86_64.rpm
b99ae7c0775bb9211358510a82ae937a 2010.0/SRPMS/gzip-1.3.12-5.1mdv2010.0.src.rpm
Mandriva Enterprise Server 5:
2d6036ae10a136c5c41f392fb06b5e45 mes5/i586/gzip-1.3.12-3.1mdvmes5.i586.rpm
1feef136de6074266b2f555795bdd0d8 mes5/SRPMS/gzip-1.3.12-3.1mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
48a5404ebcc58e4de6a134ea5ee62113 mes5/x86_64/gzip-1.3.12-3.1mdvmes5.x86_64.rpm
1feef136de6074266b2f555795bdd0d8 mes5/SRPMS/gzip-1.3.12-3.1mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLVz7OmqjQ0CJFipgRAo++AJ0VcK+UFrVtJLCkyZSeYoh8ok8APQCePYJf
COmPsWilcFGzmoEh6TC/qEQ=
=tUU5
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed