Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2006-4334 Multiple vunabilities in gzip (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE CVE-2006-4338)|
|Product:||[Fedora] Fedora||Reporter:||Heiko Adams <bugzilla>|
|Component:||gzip||Assignee:||Ivana Varekova <varekova>|
|Status:||CLOSED ERRATA||QA Contact:||Ben Levenson <benl>|
|Version:||5||CC:||bressers, bugzilla, matsuu, redhat|
|Target Milestone:||---||Keywords:||Reopened, Security|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-10-10 03:30:15 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||204676|
Description Heiko Adams 2006-09-22 02:37:32 EDT
Description of problem: Google Security Team has dicovered multiple vunabilities in gzip 1.3.5. These vunabilities are recorded as CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338. Version-Release number of selected component (if applicable): 1.3.5 Additional info: These vunabilities are already fixed for Red Hats commercial linux distributions. Where is the updated package for fedora core??
Comment 1 Ivana Varekova 2006-09-22 11:51:36 EDT
fixed in gzip-1.3.5-8.
Comment 2 Michal Jaegermann 2006-09-26 15:34:57 EDT
> fixed in gzip-1.3.5-8 gzip-1.3.5-8 is from rawhide and this update indeed showed up there some time ago. But for FC5 gzip-1.3.5-7.1.fc5 sits for a number of days already in "testing" and released packages do not seem to be forthcoming. See bug 204676 for a description of attacks.
Comment 3 Josh Bressers 2006-09-30 17:23:10 EDT
Ivana, it seems you forgot to push this one live, can you take care of it ASAP?
Comment 4 Ivana Varekova 2006-10-10 03:30:15 EDT
The update gzip-1.3.5-7.1.fc5 is pushed as final now.
Comment 5 Peter E. Popovich 2006-10-12 16:22:57 EDT
gzip 1.3.5-7.1 was pushed 2006-10-02 gzip 1.3.5-7 was pushed 2006-10-10 Note that the 10/02 version is later than the 10/10 version. Does 1.3.5-7.1 have the relevant fix? Or does someone need to release a 1.3.5-7.2?
Comment 6 MATSUU Takuto 2006-10-12 22:51:36 EDT
gzip-1.3.3 also has these vulnerabilities. FC3 is affected. see RHSA-2006-0667
Comment 7 Kasper Dupont 2006-10-13 01:17:40 EDT
I noticed that 1.3.5-7.fc5 and 1.3.5-7.1.fc5 where made available for download in the opposite order of being build. So which one should I be using? Intuitively the extra .1 sounds like a higher version number. But lexicographically .1.fc5 is before .fc5, and neither have an epoch. Maybe I misunderstood the algorithm for comparing version numbers, is it documented anywhere?
Comment 8 Ivana Varekova 2006-10-13 10:31:08 EDT
The problem with update is fixed by 1.3.5-8.fc5
Comment 9 Kasper Dupont 2006-10-14 20:03:11 EDT
I don't see any gzip-1.3.5-8.fc5