Bug 207643

Summary: CVE-2006-4334 Multiple vunabilities in gzip (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE CVE-2006-4338)
Product: [Fedora] Fedora Reporter: Heiko Adams <bugzilla>
Component: gzipAssignee: Ivana Varekova <varekova>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: 5CC: bressers, bugzilla, matsuu, redhat
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-10 03:30:15 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 204676    
Bug Blocks:    

Description Heiko Adams 2006-09-22 02:37:32 EDT
Description of problem:
Google Security Team has dicovered multiple vunabilities in gzip 1.3.5. These
vunabilities are recorded as CVE-2006-4334, CVE-2006-4335, CVE-2006-4336,
CVE-2006-4337, CVE-2006-4338.

Version-Release number of selected component (if applicable):
1.3.5  

Additional info:
These vunabilities are already fixed for Red Hats commercial linux
distributions. Where is the updated package for fedora core??
Comment 1 Ivana Varekova 2006-09-22 11:51:36 EDT
fixed in gzip-1.3.5-8.
Comment 2 Michal Jaegermann 2006-09-26 15:34:57 EDT
> fixed in gzip-1.3.5-8

gzip-1.3.5-8 is from rawhide and this update indeed showed up there
some time ago.  But for FC5 gzip-1.3.5-7.1.fc5 sits for a number
of days already in "testing" and released packages do not seem to be
forthcoming.  See bug 204676 for a description of attacks.
Comment 3 Josh Bressers 2006-09-30 17:23:10 EDT
Ivana, it seems you forgot to push this one live, can you take care of it ASAP?
Comment 4 Ivana Varekova 2006-10-10 03:30:15 EDT
The update gzip-1.3.5-7.1.fc5 is pushed as final now.
Comment 5 Peter E. Popovich 2006-10-12 16:22:57 EDT
gzip 1.3.5-7.1 was pushed 2006-10-02
gzip 1.3.5-7 was pushed 2006-10-10

Note that the 10/02 version is later than the 10/10 version.

Does 1.3.5-7.1 have the relevant fix?

Or does someone need to release a 1.3.5-7.2?
Comment 6 MATSUU Takuto 2006-10-12 22:51:36 EDT
gzip-1.3.3 also has these vulnerabilities. FC3 is affected. see RHSA-2006-0667
Comment 7 Kasper Dupont 2006-10-13 01:17:40 EDT
I noticed that 1.3.5-7.fc5 and 1.3.5-7.1.fc5 where made available for download
in the opposite order of being build. So which one should I be using?
Intuitively the extra .1 sounds like a higher version number. But
lexicographically .1.fc5 is before .fc5, and neither have an epoch. Maybe I
misunderstood the algorithm for comparing version numbers, is it documented
anywhere?
Comment 8 Ivana Varekova 2006-10-13 10:31:08 EDT
The problem with update is fixed by 1.3.5-8.fc5
Comment 9 Kasper Dupont 2006-10-14 20:03:11 EDT
I don't see any gzip-1.3.5-8.fc5