touch-packages team mailing list archive

Thread
Date

[Bug 1358762] Re: Included gzip 1.2.4 has several vulnerabilities

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Thorsten Glaser <1358762@xxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Nov 2014 14:08:39 -0000
Reply-to: Bug 1358762 <1358762@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As I mentioned in IRC: I can probably easily shave another 2½K off .text
by removing stub support for multiple compressors and using the gzopen()
API already shipped by klibc.

Note that klibc bundles zlib 1.2.3 whereas even MirBSD has 1.2.8
already. That would also need updating. But at least, MirBSD compress
uses zlib for gzip I/O instead of bundling its own inflate/deflate
functions as GNU gzip does.

All is 2-clause and 3-clause BSD and MIT licence.

** Also affects: klibc
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to klibc in Ubuntu.
https://bugs.launchpad.net/bugs/1358762

Title:
  Included gzip 1.2.4 has several vulnerabilities

Status in klibc:
  New
Status in “klibc” package in Ubuntu:
  Confirmed

Bug description:
  The included gzip version is quite old (version 1.2.4) and has several
  security vulnerabilities.

  Check http://web.nvd.nist.gov/view/vuln/search-
  results?adv_search=true&cves=on&cpe_version=cpe:/a:gnu:gzip:1.2.4 for
  example.

  I explicitly checked for CVE-2001-1228, which was not fixed by a patch
  in the klibc package, so I assume the other vulnerabilities are not
  fixed either.

  I think it would be a good idea to update the included gzip to a
  current version.

To manage notifications about this bug go to:
https://bugs.launchpad.net/klibc/+bug/1358762/+subscriptions