Debian: DSA-1974-1: New gzip packages fix arbitrary code execution

    Date20 Jan 2010
    CategoryDebian
    35
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities have been found in gzip, the GNU compression utilities. The Common Vulnerabilities and Exposures project identifies the following problems:
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1974-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                      Steffen Joeris
    January 20, 2010                      http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : gzip
    Vulnerability  : several
    Problem type   : local (remote)
    Debian-specific: no
    CVE Ids        : CVE-2009-2624 CVE-2010-0001
    Debian Bug     : 507263
    
    Several vulnerabilities have been found in gzip, the GNU compression
    utilities. The Common Vulnerabilities and Exposures project identifies
    the following problems:
    
    CVE-2009-2624
    
    Thiemo Nagel discovered a missing input sanitation flaw in the way gzip
    used to decompress data blocks for dynamic Huffman codes, which could
    lead to the execution of arbitrary code when trying to decompress a
    crafted archive. This issue is a reappearance of CVE-2006-4334 and only
    affects the lenny version.
    
    CVE-2010-0001
    
    Aki Helin discovered an integer underflow when decompressing files that
    are compressed using the LZW algorithm. This could lead to the execution
    of arbitrary code when trying to decompress a crafted LZW compressed
    gzip archive.
    
    
    For the stable distribution (lenny), these problems have been fixed in
    version 1.3.12-6+lenny1.
    
    For the oldstable distribution (etch), these problems have been fixed in
    version 1.3.5-15+etch1.
    
    For the testing distribution (squeeze) and the unstable distribution
    (sid), these problems will be fixed soon.
    
    
    We recommend that you upgrade your gzip packages.
    
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1.dsc
        Size/MD5 checksum:      573 4a4c81d72ed695f7e0b710fa7da00201
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1.diff.gz
        Size/MD5 checksum:    62547 34c6cab73195a3b9e2b187636cf69dc2
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5.orig.tar.gz
        Size/MD5 checksum:   331550 3d6c191dfd2bf307014b421c12dc8469
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_alpha.deb
        Size/MD5 checksum:    84202 2677656b86d648a05b54ba0c03028eb1
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_amd64.deb
        Size/MD5 checksum:    76988 86e571b7bf22e4924c5d7f82306ab064
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_arm.deb
        Size/MD5 checksum:    79428 7e71e302f090a62f52b7f6f5d35b627b
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_hppa.deb
        Size/MD5 checksum:    81616 02d1712f3f62de9f05810cd3a1660d77
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_i386.deb
        Size/MD5 checksum:    74324 ac441b57b7423d65985acaef2e40df9f
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_ia64.deb
        Size/MD5 checksum:    96216 89b544a5f93d7607e1608d7856fa70e8
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_mipsel.deb
        Size/MD5 checksum:    82266 ff332d05f508dad0d3067dd713bee839
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_powerpc.deb
        Size/MD5 checksum:    79722 1e117918ab793443c9da0af6f137e7a7
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_s390.deb
        Size/MD5 checksum:    80602 4c5accebc99f8b263cef9500a94ae2ca
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_sparc.deb
        Size/MD5 checksum:    77262 f440c798c3fe592896286047b643116d
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1.diff.gz
        Size/MD5 checksum:    14580 7dac4e2e855b89ec335605722da16bd0
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12.orig.tar.gz
        Size/MD5 checksum:   462169 b5bac2d21840ae077e0217bc5e4845b1
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1.dsc
        Size/MD5 checksum:     1024 40c1d638034b3c9be692af4057a9499c
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12-6+lenny1_all.deb
        Size/MD5 checksum:    68438 858f1373aa128793538f5e5f6e283e24
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_alpha.deb
        Size/MD5 checksum:   112736 2afbb523626d0793acf7e1cb4be21938
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_amd64.deb
        Size/MD5 checksum:   106024 68119c7d80f94457b2f241cb90bd3aee
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_arm.deb
        Size/MD5 checksum:   108462 b8daebe8a54750428f6028612297e76b
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_armel.deb
        Size/MD5 checksum:   106906 14e79925acc936699aaa8ccee0b6d04d
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_hppa.deb
        Size/MD5 checksum:   111448 7e94ea327492912e21b360e45ab324d5
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_i386.deb
        Size/MD5 checksum:   102866 4cef436339090cd800efb7e6bb92b14b
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_ia64.deb
        Size/MD5 checksum:   123250 c38a5a05f04fa731340c254028d240c3
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_mipsel.deb
        Size/MD5 checksum:   109266 5e17c751ddc3a65085f005dddcf6426c
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_powerpc.deb
        Size/MD5 checksum:   109502 3ae2e1dfc3b13d0ed4574103aca3904d
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_s390.deb
        Size/MD5 checksum:   108896 e7b03509583f7cbed875359a2595a3a0
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_sparc.deb
        Size/MD5 checksum:   106462 f166981469f7fd047ceabe5f26832638
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"8","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":21.43,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"3","type":"x","order":"3","pct":21.43,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.