Bug 211760
Summary: | CVE-2006-4334 Multiple vunabilities in gzip (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE CVE-2006-4338) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | ali <alilomo> | ||||
Component: | gzip | Assignee: | Fedora Legacy Bugs <bugs> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | dcantrell, deisenst, mattdm | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | LEGACY, 3, 4 | ||||||
Fixed In Version: | FLSA-2006-211760 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-11-13 08:09:48 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
ali
2006-10-22 05:44:28 UTC
Thanks a bunch, ali, for noticing this issue and adding this bug. I don't believe anybody has done any work on the gzip issue, so if you would backport for FC3 and FC4, it would be most welcome! :) Thanks again! There is ftp://ftp.harddata.com/pub/Legacy_srpms/gzip-1.3.5-6.1.mj.src.rpm which works as a replacement at least for FC4. It is practically the same as what showed up later as an update for FC5. As for a quoted comment "I don't see any gzip-1.3.5-8.fc5" then this version was released on October 16. It does not differ from gzip-1.3.5-7.1.fc5, save a version markings, so presumably this was done to make tracking easier between FC5 and FC6. There are really no essential differences between various gzip versions in use. I've put up a SRPM and the patches I used to take gzip-1.3.5-6 to gzip-1.3.5-9 (the current version from HEAD) at http://www.cs.uwm.edu/~lomonaco/gzip. The version bumps in the changelog seem to be from rebuilds and the addition of the CVE patches, atleast from FC4. FC3 seems to have shipped with 1.3.3. I don't have access to any FC3 systems though I'm sure the above mentioned SRPM will build on FC3. Not sure the policy on bumping versions on security fixes; seems to be the easiest route though. Not sure what the next step is... Hi Ali, and Michal, I apologize for not responding to your hard work before now. (I started a post here then lost it before I could hit the <SEND> button a couple of days ago. Argh!) I will take what you have (after a little bit of review), build it on the build server, and push it out to updates-testing. (Jesse Keating, Legacy Project lead, has recently given me the ability to push things.) Documentation on how packages have in the past been submitted for pushing to updates, Ali, can be found here, though it appears the Legacy project may be in the process of making some changes to that process: <http://fedoraproject.org/wiki/Legacy/QATesting> under "Submitting Packages." The community has been talking about removing the "QA Publish" step, and just accepting what folks propose as updated .src.rpm packages to be pushed to updates-testing. Because of this, and because of an IRC conversation I had with Jesse Keating about it a day or two ago, I guess we will go ahead and skip this step, though I personally will take a moment to look at what you've submitted before adding it to Legacy's CVS and pushing it to updates-testing. In this way, Fedora Legacy will reduce the QA burden down to the level done by the Fedora Core project, hopefully making it less cumbersome for contributors like you to contribute. Thank you both for your contributions and enthusiasm! We really need it! :) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ali - looked over the .src.rpm you submitted and it was good. Only made a couple of changes to the spec file. One of the changes was to change the Name-Version-Release from 'gzip-1.3.5-9' to 'gzip-1.3.5-6.1.0.legacy' so that: 1) there would be no upgrade versioning problems when a FC4 user upgrades to FC5 ... that is, the versioning of gzip is - gzip-1.3.5-6 for FC4 (currently), - gzip-1.3.5-6.2.1 for FC5 gold, and - gzip-1.3.5-8 for FC5 (version that fixes these security bugs). Were FC4 users to install a 'gzip-1.3.5-9' package, then they would not be able to properly upgrade that package if they attempted to up- grade to FC5. 2) the package would be recognizable by its name as a Fedora Legacy package, rather than a package created by the Fedora Core developers/ maintainers. One other change was to add your name (and email) to the changelog so that you would get proper attribution for your work and so folks would know who to contact if they had questions. I added my name also, but goofed in ad- ding my email; but the powers-that-be said it was probably okay -- this time. ("Just don't let it happen again!" said they. hehe) Attached is the output of the 'rpm-build-compare.sh' script on your pack- age and my pacakge to see the differences. The current .src.rpm can be found here: <http://turbosphere.fedoralegacy.org/build-results/fedora-4-core/gzip/1.3.5-6.1.0.legacy/SRPM/gzip-1.3.5-6.1.0.legacy.src.rpm> It is signed by my legacy package signature key, and it has an sha1sum of 7ffd0ffa4b96e24511fc7c413b9a14fb9e18a69e gzip-1.3.5-6.1.0.legacy.src.rpm There are also i386 and x86_64 binary rpms in that directory tree, though all these will be pushed (hopefully tonight) to updates-testing. Am planning on getting the packages for FC3 ready also, and push them to updates-testing at the same time. Thanks again for your work, Ali! :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFTCtyxou1V/j9XZwRAu5uAKDI14sMSpJSWljmLtxf5oAd9XsfZwCgoFSz jaNsfuFPtSrRKRRGTwfWG3I= =hYoj -----END PGP SIGNATURE----- Created attachment 140341 [details] Output of rpm-build-compare.sh Here is the output of the rpm-build-compare.sh script on the gzip-1.3.5-9.src.rpm by Ali and the update gzip-1.3.5-6.1.0.legacy.src.rpm. Oh, and if you're interested, the rpm-build-compare.sh script itself that I was using can be found here: <http://fedoralegacy.org/contrib/rpm-build-compare/rpm-build-compare.sh>. -David FC-3 and FC-4 packages pushed to updates-testing. Please test and report your findings here. Thanks! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for FC3 X86_64 Downloaded packages: 602ad6828a3388063db0c45f13c256d92b12cc51 gzip.x86_64 0:1.3.3-16.1.fc3.legacy Package installed fine on a single machine. Tested functionality on two tar files (list contents, untar, create tar, compare results of taring old and new archives, etc). All functionality tested worked as expected. Vote for release for FC3 X86_64. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFFUN9U4jZRbknHoPIRAtpiAKCVgOU+sfNl6+8j+lvB9TK3KDeBjwCgpPQp /21cq74cyjqIPjalswx5/Pw= =eMNb -----END PGP SIGNATURE----- Thank you, Eric! :-) Timeout reduced to 1 week. Matthew Miller - do you feel that since FC3's gzip has been VERIFIED - that we should go ahead and push it updates so it won't have to wait for FC4 to be voted on? Jesse - any opinions? Ali? Hi David, I'll save you the trouble and verify for FC4 :) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verify for FC4 package from updates-testing 1cf4530543c8f7da0d331f11388bb7517fa013e4 gzip-1.3.5-6.1.0.legacy.i386.rpm Signature OK Installs OK gzip and gunzip work as expected on a few test files FC4 VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFUygNKe7MLJjUbNMRAvsaAJ4toGs7GY4ix3Sr3aGoH1vi7LvlXACeKII2 49ZSYERoMQlLKLkzhGTm/LM= =9Lsa -----END PGP SIGNATURE----- Thank you, Jeff. These have been verified enough, so should be eligible for release to updates! :-) gzip packages pushed for FC3 and FC4, FLSA-2006-211760 http://www.redhat.com/archives/fedora-legacy-announce/2006-November/msg00000.html |