MDVSA-2010:020

Package name

gzip

Date

2010-01-20

Advisory ID

MDVSA-2010:020

Affected versions

2009.0 x86_64 , MES5 i586 , 2010.0 x86_64 , 2010.0 i586 , 2009.1 i586 , 2009.0 i586 , 2008.0 x86_64 , 2008.0 i586 , 2009.1 x86_64 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in gzip:

A missing input sanitation flaw was found in the way gzip used to
decompress data blocks for dynamic Huffman codes. A remote attacker
could provide a specially-crafted gzip compressed data archive,
which once opened by a local, unsuspecting user would lead to denial
of service (gzip crash) or, potentially, to arbitrary code execution
with the privileges of the user running gzip (CVE-2009-2624).

An integer underflow leading to array index error was found in the
way gzip used to decompress files / archives, compressed with the
Lempel-Ziv-Welch (LZW) compression algorithm. A remote attacker could
provide a specially-crafted LZW compressed gzip archive, which once
decompressed by a local, unsuspecting user would lead to gzip crash,
or, potentially to arbitrary code execution with the privileges of
the user running gzip (CVE-2010-0001).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct these issues.

Updated packages

2009.0 x86_64

 d69acf358db53d589413529f4a2e11ef  2009.0/x86_64/gzip-1.3.12-3.1mdv2009.0.x86_64.rpm 
 3b13642c05f503ac5eeb3b48e72a7248  2009.0/SRPMS/gzip-1.3.12-3.1mdv2009.0.src.rpm

MES5 i586

 2d6036ae10a136c5c41f392fb06b5e45  mes5/i586/gzip-1.3.12-3.1mdvmes5.i586.rpm 
 1feef136de6074266b2f555795bdd0d8  mes5/SRPMS/gzip-1.3.12-3.1mdvmes5.src.rpm

2010.0 x86_64

 e003e931a59003585d2600a1f8d375af  2010.0/x86_64/gzip-1.3.12-5.1mdv2010.0.x86_64.rpm 
 b99ae7c0775bb9211358510a82ae937a  2010.0/SRPMS/gzip-1.3.12-5.1mdv2010.0.src.rpm

2010.0 i586

 79785f802e7b2f20135620402df74049  2010.0/i586/gzip-1.3.12-5.1mdv2010.0.i586.rpm 
 b99ae7c0775bb9211358510a82ae937a  2010.0/SRPMS/gzip-1.3.12-5.1mdv2010.0.src.rpm

2009.1 i586

 118331d407ba6374babb123e42d27c6c  2009.1/i586/gzip-1.3.12-4.1mdv2009.1.i586.rpm 
 90296b7d943c1bab1059c672755c7a2c  2009.1/SRPMS/gzip-1.3.12-4.1mdv2009.1.src.rpm

2009.0 i586

 2316dabaf600d2c3f2a2becd7b625bd9  2009.0/i586/gzip-1.3.12-3.1mdv2009.0.i586.rpm 
 3b13642c05f503ac5eeb3b48e72a7248  2009.0/SRPMS/gzip-1.3.12-3.1mdv2009.0.src.rpm

2008.0 x86_64

 492ff118f07d7d4ea7519858fbb39634  2008.0/x86_64/gzip-1.3.12-1.1mdv2008.0.x86_64.rpm 
 44e7e075b21c4469af04c156b3143c83  2008.0/SRPMS/gzip-1.3.12-1.1mdv2008.0.src.rpm

2008.0 i586

 dabd4f2eee5fe024b8abff6f95283fde  2008.0/i586/gzip-1.3.12-1.1mdv2008.0.i586.rpm 
 44e7e075b21c4469af04c156b3143c83  2008.0/SRPMS/gzip-1.3.12-1.1mdv2008.0.src.rpm

2009.1 x86_64

 eb2c1700b911e636e337e79abe29492a  2009.1/x86_64/gzip-1.3.12-4.1mdv2009.1.x86_64.rpm 
 90296b7d943c1bab1059c672755c7a2c  2009.1/SRPMS/gzip-1.3.12-4.1mdv2009.1.src.rpm

MES5 x86_64

 48a5404ebcc58e4de6a134ea5ee62113  mes5/x86_64/gzip-1.3.12-3.1mdvmes5.x86_64.rpm 
 1feef136de6074266b2f555795bdd0d8  mes5/SRPMS/gzip-1.3.12-3.1mdvmes5.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0001
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2624