Articles / Debian: New gzip packages f…

Debian: New gzip packages fix arbitrary code execution

Several vulnerabilities have been found in gzip, the GNU compression utilities. Thiemo Nagel discovered a missing input sanitation flaw in the way gzip used to decompress data blocks for dynamic Huffman codes, which could lead to the execution of arbitrary code when trying to decompress a crafted archive. Aki Helin discovered an integer underflow when decompressing files that are compressed using the LZW algorithm. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive. Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1974-1                  security@debian.org
http://www.debian.org/security/                      Steffen Joeris
January 20, 2010                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : gzip
Vulnerability  : several
Problem type   : local (remote)
Debian-specific: no
CVE Ids        : CVE-2009-2624 CVE-2010-0001
Debian Bug     : 507263

Several vulnerabilities have been found in gzip, the GNU compression
utilities. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2009-2624

Thiemo Nagel discovered a missing input sanitation flaw in the way gzip
used to decompress data blocks for dynamic Huffman codes, which could
lead to the execution of arbitrary code when trying to decompress a
crafted archive. This issue is a reappearance of CVE-2006-4334 and only
affects the lenny version.

CVE-2010-0001

Aki Helin discovered an integer underflow when decompressing files that
are compressed using the LZW algorithm. This could lead to the execution
of arbitrary code when trying to decompress a crafted LZW compressed
gzip archive.


For the stable distribution (lenny), these problems have been fixed in
version 1.3.12-6+lenny1.

For the oldstable distribution (etch), these problems have been fixed in
version 1.3.5-15+etch1.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed soon.


We recommend that you upgrade your gzip packages.


Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1.dsc
   Size/MD5 checksum:      573 4a4c81d72ed695f7e0b710fa7da00201
 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1.diff.gz
   Size/MD5 checksum:    62547 34c6cab73195a3b9e2b187636cf69dc2
 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5.orig.tar.gz
   Size/MD5 checksum:   331550 3d6c191dfd2bf307014b421c12dc8469

alpha architecture (DEC Alpha)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_alpha.deb
   Size/MD5 checksum:    84202 2677656b86d648a05b54ba0c03028eb1

amd64 architecture (AMD x86_64 (AMD64))

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_amd64.deb
   Size/MD5 checksum:    76988 86e571b7bf22e4924c5d7f82306ab064

arm architecture (ARM)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_arm.deb
   Size/MD5 checksum:    79428 7e71e302f090a62f52b7f6f5d35b627b

hppa architecture (HP PA RISC)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_hppa.deb
   Size/MD5 checksum:    81616 02d1712f3f62de9f05810cd3a1660d77

i386 architecture (Intel ia32)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_i386.deb
   Size/MD5 checksum:    74324 ac441b57b7423d65985acaef2e40df9f

ia64 architecture (Intel ia64)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_ia64.deb
   Size/MD5 checksum:    96216 89b544a5f93d7607e1608d7856fa70e8

mipsel architecture (MIPS (Little Endian))

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_mipsel.deb
   Size/MD5 checksum:    82266 ff332d05f508dad0d3067dd713bee839

powerpc architecture (PowerPC)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_powerpc.deb
   Size/MD5 checksum:    79722 1e117918ab793443c9da0af6f137e7a7

s390 architecture (IBM S/390)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_s390.deb
   Size/MD5 checksum:    80602 4c5accebc99f8b263cef9500a94ae2ca

sparc architecture (Sun SPARC/UltraSPARC)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_sparc.deb
   Size/MD5 checksum:    77262 f440c798c3fe592896286047b643116d


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1.diff.gz
   Size/MD5 checksum:    14580 7dac4e2e855b89ec335605722da16bd0
 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12.orig.tar.gz
   Size/MD5 checksum:   462169 b5bac2d21840ae077e0217bc5e4845b1
 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1.dsc
   Size/MD5 checksum:     1024 40c1d638034b3c9be692af4057a9499c

Architecture independent packages:

 http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12-6+lenny1_all.deb
   Size/MD5 checksum:    68438 858f1373aa128793538f5e5f6e283e24

alpha architecture (DEC Alpha)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_alpha.deb
   Size/MD5 checksum:   112736 2afbb523626d0793acf7e1cb4be21938

amd64 architecture (AMD x86_64 (AMD64))

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_amd64.deb
   Size/MD5 checksum:   106024 68119c7d80f94457b2f241cb90bd3aee

arm architecture (ARM)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_arm.deb
   Size/MD5 checksum:   108462 b8daebe8a54750428f6028612297e76b

armel architecture (ARM EABI)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_armel.deb
   Size/MD5 checksum:   106906 14e79925acc936699aaa8ccee0b6d04d

hppa architecture (HP PA RISC)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_hppa.deb
   Size/MD5 checksum:   111448 7e94ea327492912e21b360e45ab324d5

i386 architecture (Intel ia32)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_i386.deb
   Size/MD5 checksum:   102866 4cef436339090cd800efb7e6bb92b14b

ia64 architecture (Intel ia64)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_ia64.deb
   Size/MD5 checksum:   123250 c38a5a05f04fa731340c254028d240c3

mipsel architecture (MIPS (Little Endian))

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_mipsel.deb
   Size/MD5 checksum:   109266 5e17c751ddc3a65085f005dddcf6426c

powerpc architecture (PowerPC)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_powerpc.deb
   Size/MD5 checksum:   109502 3ae2e1dfc3b13d0ed4574103aca3904d

s390 architecture (IBM S/390)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_s390.deb
   Size/MD5 checksum:   108896 e7b03509583f7cbed875359a2595a3a0

sparc architecture (Sun SPARC/UltraSPARC)

 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_sparc.deb
   Size/MD5 checksum:   106462 f166981469f7fd047ceabe5f26832638


 These files will probably be moved into the stable distribution on
 its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktXD9UACgkQ62zWxYk/rQfK4gCfdsWVkE9gjfjgkFDr7zrEPbo3
t40An1bK+hGYG7WbE0bi2D4kGJYgI/rD
=LSoS
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.