Non-Official packages (was Re: Good morning from a newbie)
tushar at linuxfromscratch.org
Tue Jan 14 21:27:58 PST 2003
Tushar Teredesai wrote:
> Not putting in a request, another non-official release that could be
> considered: gzip-1.3.3. The latest version on alpha.gnu.org is 1.3.5,
> but most distros are using 1.3.3.
/gzip/ 1.2.4 may crash when an input file name is too long (over
1020 characters). The buffer overflow may be exploited if /gzip/ is
run by a server such as an ftp server. Some ftp servers allow
compression and decompression on the fly and are thus vulnerable.
See technical details here <http://www.securityfocus.com/bid/3712>.
This patch <http://www.gzip.org/gzip-1.2.4b.patch> to gzip 1.2.4
fixes the problem. The beta version 1.3.3
<http://www.gzip.org/gzip-1.3.3.tar.gz> already includes a
sufficient patch; use this version if you have to handle files
larger than 2 GB. A new official version of /gzip/ will be released
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-dev' in the subject header of the message
More information about the lfs-dev