Hello, While looking at the gzip package on Mageia, I noticed that it still includes some patches for CVEs from 2006 or 2009 :
http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.3.5-cve-2006-4335.patch?revision=389214&view=markup http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-CVE-2009-2624-1.diff?revision=389214&view=markup http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-cve-2006-4337.patch?revision=389214&view=markup http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-cve-2006-4337_len.patch?revision=389214&view=markup http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.5-cve-2006-4338.patch?revision=389214&view=markup http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/gzip-1.6-cve-2006-4336.patch?revision=450920&view=markup I would expect those CVEs to be fixed in recent releases of gzip, so I'm thinking about dropping the patches. The package did not have a maintainer until recently, so it's possible the patches were just forgotten and nobody bothered to check if they are still needed when updating the package. But before doing that, I checked the fedora package and noticed that it includes patches for 3 of those CVEs : http://pkgs.fedoraproject.org/cgit/gzip.git/tree/gzip-1.3.13-cve-2006-4337.patch http://pkgs.fedoraproject.org/cgit/gzip.git/tree/gzip-1.3.5-cve-2006-4337_len.patch http://pkgs.fedoraproject.org/cgit/gzip.git/tree/gzip-1.3.5-cve-2006-4338.patch I also checked the packages on opensuse, debian, gentoo and archlinux, and they don't include those patches. Does anyone knows if those patches are still needed, or can be safely dropped ? Thanks, Nicolas
