Non-Official packages (was Re: Good morning from a newbie)

Tushar Teredesai tushar at linuxfromscratch.org
Tue Jan 14 21:27:58 PST 2003


Tushar Teredesai wrote:

> Not putting in a request, another non-official release that could be 
> considered: gzip-1.3.3. The latest version on alpha.gnu.org is 1.3.5, 
> but most distros are using 1.3.3.

 From gzip.org:

    /gzip/ 1.2.4 may crash when an input file name is too long (over
    1020 characters). The buffer overflow may be exploited if /gzip/ is
    run by a server such as an ftp server. Some ftp servers allow
    compression and decompression on the fly and are thus vulnerable.
    See technical details here <http://www.securityfocus.com/bid/3712>.
    This patch <http://www.gzip.org/gzip-1.2.4b.patch> to gzip 1.2.4
    fixes the problem. The beta version 1.3.3
    <http://www.gzip.org/gzip-1.3.3.tar.gz> already includes a
    sufficient patch; use this version if you have to handle files
    larger than 2 GB. A new official version of /gzip/ will be released
    soon.

-- 
Tushar Teredesai
   http://www.linuxfromscratch.org/~tushar/
   http://www.geocities.com/tushar/


-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-dev' in the subject header of the message



More information about the lfs-dev mailing list