On Wednesday 20 January 2010 11:01:31 Jim Meyering wrote: > Here's the patch for CVE-2010-0001, > along with a test to exercise the offending code. > > I expect to release gzip-1.4 within the next few hours. > > From a3db5806d012082b9e25cc36d09f19cd736a468f Mon Sep 17 00:00:00 2001 > From: Jim Meyering <meyer...@redhat.com> > Date: Sun, 10 Jan 2010 17:13:01 +0100 > Subject: [PATCH 1/2] gzip -d: do not clobber stack for valid input on > x86_64 > > * unlzw.c (unlzw): Avoid integer overflow. > Aki Helin reported the segfault along with an input to trigger the bug.
this code applies unchanged (not surprisingly) to the original lzw implementation. but the redhat bug report says that the issue doesnt apply to the original ncompress (4.2.4) implementation ? not sure if you want to just keep the inner details off of public lists ... -mike
signature.asc
Description: This is a digitally signed message part.
