[Technik] [SECURITY] [DSA 1181-1] New gzip packages fix
arbitrary code execution
Noèl Köthe
noel at debian.org
Wed Sep 20 09:48:33 CEST 2006
Am Dienstag, den 19.09.2006, 21:19 +0200 schrieb Moritz Muehlenhoff:
> Debian Security Advisory DSA 1181-1 security at debian.org
> http://www.debian.org/security/ Moritz Muehlenhoff
> September 19th, 2006 http://www.debian.org/security/faq
>
> Package : gzip
> Vulnerability : several
> Problem-Type : local(remote)
> Debian-specific: no
> CVE ID : CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338
gzip auf pima, pomo, yuma, cusa, h01, h02, h03, cree, crow, wasco, cupa,
kiowa, karuk, kansa und acoma aktualisiert.
> For the stable distribution (sarge) these problems have been fixed in
> version 1.3.5-10sarge2.
changelog:
gzip (1.3.5-10sarge2) stable-security; urgency=high
* Non-maintainer upload by the Security Team:
* Fix several security problems discovered by Tavis Ormandy of Google:
- DoS through null pointer deference in the Huffman code (CVE-2006-4334)
- Out-of-bands stack write in LZH decompression code (CVE-2006-4335)
- Buffer overflow in pack code (CVE-2006-4336)
- Buffer overflow in LZH code (CVE-2006-4337)
- DoS through an infinite loop in LZH code (CVE-2006-4337)
(Patch by Thomas Biege of SuSe)
-- Moritz Muehlenhoff <jmm at debian.org> Sun, 10 Sep 2006 21:01:47 +0000
--
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : /archiv/technik/attachments/20060920/1ec14638/attachment.pgp
More information about the Technik
mailing list