From owner-freebsd-security  Thu Jan 17  0:46:22 2002
Delivered-To: freebsd-security@freebsd.org
Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214])
	by hub.freebsd.org (Postfix) with ESMTP id 89CC437B400
	for <freebsd-security@FreeBSD.ORG>; Thu, 17 Jan 2002 00:46:12 -0800 (PST)
Received: from mailgate4.nec.co.jp ([10.7.69.193])
	by TYO201.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id g0H8jvf00313;
	Thu, 17 Jan 2002 17:45:57 +0900 (JST)
Received: from mailsv.nec.co.jp (mailgate51.nec.co.jp [10.7.69.196]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP
	id g0H8juC12578; Thu, 17 Jan 2002 17:45:56 +0900 (JST)
Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv.nec.co.jp (8.11.6/3.7W-MAILSV-NEC) with ESMTP
	id g0H8jIK03187; Thu, 17 Jan 2002 17:45:54 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by  necspl.do.mms.mt.nec.co.jp (8.12.2/8.12.2) with ESMTP id g0H8jIXX011849;
	Thu, 17 Jan 2002 17:45:18 +0900 (JST)
Date: Thu, 17 Jan 2002 17:45:18 +0900 (JST)
Message-Id: <20020117.174518.102811786.y-koga@jp.FreeBSD.org>
To: freebsd-security@FreeBSD.ORG
Subject: gzip
From: Koga Youichirou <y-koga@jp.FreeBSD.org>
X-Mailer: Mew version 3.0.52 on Emacs 21.1 / Mule 5.0 (SAKAKI)
In-Reply-To: <20011011.160941.74753041.y-koga@jp.FreeBSD.org>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Debian announced gzip buffer overflow vuln:
http://www.debian.org/security/2002/dsa-100

Debian's patch:
http://security.debian.org/dists/stable/updates/main/source/gzip_1.2.4-33.1.diff.gz

And the official patch has been released:
http://www.gzip.org/gzip-1.2.4b.patch

I know that FreeBSD's gzip has already fixed this problem in 1997,
however Debian's patch includes other important fixes.

I think that FreeBSD's zdiff and znew are also vulnerable.

zdiff:
			F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'`
                        gzip -cdfq "$2" > /tmp/"$F".$$

znew:
tmp=/tmp/zfoo.$$
echo hi > $tmp.1
echo hi > $tmp.2


too horrible ;)

-- Koga, Youichirou

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message