An integer underflow leading to array index error was found in the way gzip used to decompress files / archives, compressed with the Lempel–Ziv–Welch (LZW) compression algorithm. A remote attacker could provide a specially-crafted LZW compressed gzip archive, which once decompressed by a local, unsuspecting user would lead to gzip crash, or, potentially to arbitrary code execution with the privileges of the user running gzip. Upstream patch: --------------- http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=a3db5806d012082b9e25cc36d09f19cd736a468f Acknowledgements: Red Hat would like to thank Aki Helin of the Oulu University Secure Programming Group for responsibly reporting this flaw.
This issue affects the versions of the gzip package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of the gzip package, as shipped with Fedora release of 11 and 12.
This issue does NOT affect the versions of ncompress and busybox packages, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue does NOT affect the versions of ncompress and busybox packages, as shipped with Fedora release of 11 and 12.
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0061 https://rhn.redhat.com/errata/RHSA-2010-0061.html
gzip-1.3.12-14.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/gzip-1.3.12-14.fc12
gzip-1.3.12-10.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/gzip-1.3.12-10.fc11
gzip-1.3.12-14.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
gzip-1.3.12-10.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
ncompress contains similar code where similar fix would apply, the impact is different though. The difference between gzip and ncompress is in the types used for inbits (long in gzip, int in ncompress) and insize (unsigned in gzip, signed in ncompress). In ncompress, negative insize will cause inbits to be negative rather than large positive (unsigned insize + 64bit long insize), failing the while-loop condition (inbits > posbits) to not be satisfied.