From knok at daionet.gr.jp  Thu Sep 21 09:45:33 2006
From: knok at daionet.gr.jp (NOKUBI Takatsugu)
Date: Thu Sep 21 09:45:35 2006
Subject: [Namazu-devel-en] About gzip vulnerability
Message-ID: <874pv2oxn6.wl%knok@daionet.gr.jp>

Multiple gzip vulnerability information was announced.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338

The above URLs reports about NULL pointer access, buffer overflow, and
infinity loop in gzip. Especially, buffer overflow allows stack
modification, so there is a possibility of any program execution.

Currently, there is no official patch or newest version of
gzip. However, The FreeBSD Project released the patch to fix them.

http://security.freebsd.org/patches/SA-06:21/gzip.patch
http://security.FreeBSD.org/patches/SA-06:21/gzip.patch.asc(sign)

Also, many Linux distibutor and many OS vendors released fixed gzip
package. So we, Namazu Project, strongly recommend updating gzip
properly.
-- 
NOKUBI Takatsugu
E-mail: knok@daionet.gr.jp
	knok@namazu.org / knok@debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.namazu.org/pipermail/namazu-devel-en/attachments/20060921/9a9e6962/attachment.pgp