[Namazu-users-en] About gzip vulnerability

NOKUBI Takatsugu knok at daionet.gr.jp
Thu Sep 21 09:45:33 JST 2006


Multiple gzip vulnerability information was announced.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338

The above URLs reports about NULL pointer access, buffer overflow, and
infinity loop in gzip. Especially, buffer overflow allows stack
modification, so there is a possibility of any program execution.

Currently, there is no official patch or newest version of
gzip. However, The FreeBSD Project released the patch to fix them.

http://security.freebsd.org/patches/SA-06:21/gzip.patch
http://security.FreeBSD.org/patches/SA-06:21/gzip.patch.asc(sign)

Also, many Linux distibutor and many OS vendors released fixed gzip
package. So we, Namazu Project, strongly recommend updating gzip
properly.
-- 
NOKUBI Takatsugu
E-mail: knok at daionet.gr.jp
	knok at namazu.org / knok at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.namazu.org/pipermail/namazu-users-en/attachments/20060921/9a9e6962/attachment.pgp


More information about the Namazu-users-en mailing list