-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:020 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gzip Date : January 20, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in gzip: A missing input sanitation flaw was found in the way gzip used to decompress data blocks for dynamic Huffman codes. A remote attacker could provide a specially-crafted gzip compressed data archive, which once opened by a local, unsuspecting user would lead to denial of service (gzip crash) or, potentially, to arbitrary code execution with the privileges of the user running gzip (CVE-2009-2624). An integer underflow leading to array index error was found in the way gzip used to decompress files / archives, compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. A remote attacker could provide a specially-crafted LZW compressed gzip archive, which once decompressed by a local, unsuspecting user would lead to gzip crash, or, potentially to arbitrary code execution with the privileges of the user running gzip (CVE-2010-0001). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0001 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: dabd4f2eee5fe024b8abff6f95283fde 2008.0/i586/gzip-1.3.12-1.1mdv2008.0.i586.rpm 44e7e075b21c4469af04c156b3143c83 2008.0/SRPMS/gzip-1.3.12-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 492ff118f07d7d4ea7519858fbb39634 2008.0/x86_64/gzip-1.3.12-1.1mdv2008.0.x86_64.rpm 44e7e075b21c4469af04c156b3143c83 2008.0/SRPMS/gzip-1.3.12-1.1mdv2008.0.src.rpm Mandriva Linux 2009.0: 2316dabaf600d2c3f2a2becd7b625bd9 2009.0/i586/gzip-1.3.12-3.1mdv2009.0.i586.rpm 3b13642c05f503ac5eeb3b48e72a7248 2009.0/SRPMS/gzip-1.3.12-3.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: d69acf358db53d589413529f4a2e11ef 2009.0/x86_64/gzip-1.3.12-3.1mdv2009.0.x86_64.rpm 3b13642c05f503ac5eeb3b48e72a7248 2009.0/SRPMS/gzip-1.3.12-3.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 118331d407ba6374babb123e42d27c6c 2009.1/i586/gzip-1.3.12-4.1mdv2009.1.i586.rpm 90296b7d943c1bab1059c672755c7a2c 2009.1/SRPMS/gzip-1.3.12-4.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: eb2c1700b911e636e337e79abe29492a 2009.1/x86_64/gzip-1.3.12-4.1mdv2009.1.x86_64.rpm 90296b7d943c1bab1059c672755c7a2c 2009.1/SRPMS/gzip-1.3.12-4.1mdv2009.1.src.rpm Mandriva Linux 2010.0: 79785f802e7b2f20135620402df74049 2010.0/i586/gzip-1.3.12-5.1mdv2010.0.i586.rpm b99ae7c0775bb9211358510a82ae937a 2010.0/SRPMS/gzip-1.3.12-5.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: e003e931a59003585d2600a1f8d375af 2010.0/x86_64/gzip-1.3.12-5.1mdv2010.0.x86_64.rpm b99ae7c0775bb9211358510a82ae937a 2010.0/SRPMS/gzip-1.3.12-5.1mdv2010.0.src.rpm Mandriva Enterprise Server 5: 2d6036ae10a136c5c41f392fb06b5e45 mes5/i586/gzip-1.3.12-3.1mdvmes5.i586.rpm 1feef136de6074266b2f555795bdd0d8 mes5/SRPMS/gzip-1.3.12-3.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 48a5404ebcc58e4de6a134ea5ee62113 mes5/x86_64/gzip-1.3.12-3.1mdvmes5.x86_64.rpm 1feef136de6074266b2f555795bdd0d8 mes5/SRPMS/gzip-1.3.12-3.1mdvmes5.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLVz7OmqjQ0CJFipgRAo++AJ0VcK+UFrVtJLCkyZSeYoh8ok8APQCePYJf COmPsWilcFGzmoEh6TC/qEQ= =tUU5 -----END PGP SIGNATURE-----