On Mon, Jan 8, 2018 at 11:01 PM, Stig-Ørjan Smelror <smel...@gmail.com> wrote:
> Hi everyone.
>
> I'm a packager padawan with Mageia and started working on packaging
> gzip-1.9 yesterday.
>
> When looking through the list of patches for gzip, I noticed quite a few
> CVE's lingering there and then looking through the code it "seemed to me"
> that these CVE's are not included.
>
> Then I thought, perhaps they've managed to fix these in other ways, but
> since I'm no programmer and not really sure, I wanted to ask you.
>
> Can you please take a look at the patches Mageia uses and let me know if
> they are necessary or needs to be rebased for gzip-1.9?
> http://svnweb.mageia.org/packages/cauldron/gzip/current/SOURCES/
The CVE-2006-???? bugs were all fixed in upstream commit
03167e0cea52f915ea63566a76d76e68659542e8.
There is nothing of significance in the gzip-1.5-CVE-2009-2624-1.diff patch.
Thus, you may safely remove those .diff files.
Also, the zforce-related patch does this, which looks wrong:
- if gzip -lv < "$i" 2>/dev/null | grep '^defl' > /dev/null; then
+ if gzip -l < "$i" 2>/dev/null | grep '^compressed' > /dev/null; then
since that beginning-of-line-anchored regexp will never match gzip's -l output:
$ :|gzip|gzip -l
compressed uncompressed ratio uncompressed_name
-1 -1 0.0% stdout
I suggest you remove that patch, too.
Finally, gzip-1.3.3-window-size.patch does this to gzip.c:
-DECLARE(uch, window, 2L*WSIZE);
+DECLARE(uch, window, 2L*WSIZE + 4096);
Considering it was relative to 1.3.3, which is from over 15 years ago,
I suggest you discard it, too.
I'm marking this ticket as "done", but feel free to reply: any replies
still go to the list and the bug database.
