Non-Official packages (was Re: Good morning from a newbie)

Timothy Bauscher timothy at linuxfromscratch.org
Tue Jan 14 21:53:35 PST 2003


On Tue, Jan 14, 2003 at 11:27:58PM -0600, Tushar Teredesai wrote:
> From gzip.org:
> 
>    /gzip/ 1.2.4 may crash when an input file name is too long (over
>    1020 characters). The buffer overflow may be exploited if /gzip/ is
>    run by a server such as an ftp server. Some ftp servers allow
>    compression and decompression on the fly and are thus vulnerable.
>    See technical details here <http://www.securityfocus.com/bid/3712>.
>    This patch <http://www.gzip.org/gzip-1.2.4b.patch> to gzip 1.2.4
>    fixes the problem. The beta version 1.3.3
>    <http://www.gzip.org/gzip-1.3.3.tar.gz> already includes a
>    sufficient patch; use this version if you have to handle files
>    larger than 2 GB. A new official version of /gzip/ will be released
>    soon.

IIRC, the gzip patch in the book fixes some of the above
bugs.

-- 
timothy(at)linuxfromscratch.org

-*- "Share and Enjoy" || "Go stick your head in a pig" -*-
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-dev' in the subject header of the message



More information about the lfs-dev mailing list