touch-packages team mailing list archive

Thread
Date

[Bug 1358762] Re: Included gzip 1.2.4 has several vulnerabilities

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Thorsten Glaser <1358762@xxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Nov 2014 13:54:06 -0000
Reply-to: Bug 1358762 <1358762@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Nevermind. I hacked MirBSD compress to omit the BSD compress method (so
it only does gzip), and replaced a few more things, and got a working
gzip/gunzip under BSD licence.

If there is any interest in the klibc side to include that, be my guest.
Sizes are nice, too (dynamically linked):

tglase@tglase:~/mbsd/src/usr.bin/compress $ size /usr/lib/klibc/bin/gzip obj/compress                      
   text    data     bss     dec     hex filename
  25828    3016  316552  345396   54534 /usr/lib/klibc/bin/gzip
  18802       0    4208   23010    59e2 obj/compress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to klibc in Ubuntu.
https://bugs.launchpad.net/bugs/1358762

Title:
  Included gzip 1.2.4 has several vulnerabilities

Status in “klibc” package in Ubuntu:
  Confirmed

Bug description:
  The included gzip version is quite old (version 1.2.4) and has several
  security vulnerabilities.

  Check http://web.nvd.nist.gov/view/vuln/search-
  results?adv_search=true&cves=on&cpe_version=cpe:/a:gnu:gzip:1.2.4 for
  example.

  I explicitly checked for CVE-2001-1228, which was not fixed by a patch
  in the klibc package, so I assume the other vulnerabilities are not
  fixed either.

  I think it would be a good idea to update the included gzip to a
  current version.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/klibc/+bug/1358762/+subscriptions