[Namazu-users-en] About gzip vulnerability
NOKUBI Takatsugu
knok at daionet.gr.jp
Thu Sep 21 09:45:33 JST 2006
Multiple gzip vulnerability information was announced.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338
The above URLs reports about NULL pointer access, buffer overflow, and
infinity loop in gzip. Especially, buffer overflow allows stack
modification, so there is a possibility of any program execution.
Currently, there is no official patch or newest version of
gzip. However, The FreeBSD Project released the patch to fix them.
http://security.freebsd.org/patches/SA-06:21/gzip.patch
http://security.FreeBSD.org/patches/SA-06:21/gzip.patch.asc(sign)
Also, many Linux distibutor and many OS vendors released fixed gzip
package. So we, Namazu Project, strongly recommend updating gzip
properly.
--
NOKUBI Takatsugu
E-mail: knok at daionet.gr.jp
knok at namazu.org / knok at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.namazu.org/pipermail/namazu-users-en/attachments/20060921/9a9e6962/attachment.pgp
More information about the Namazu-users-en
mailing list