Re: New bugs discovered!

[Valdis.Kletnieks () vt edu]

On Mon, 19 Nov 2001 12:16:30 EST, Chris Ess said:
> > Current versions of gzip (1.3.x) are not vulnerable.
>
> I see nowhere on www.gzip.org mentioning a version 1.3.x.  It only
> mentions 1.2.4a
>
> Where would one go about finding the source for this?

http://www.gzip.org  for those of you who don't do rpmfind.  However,
that seems to still be 1.2.4a.  'gzip 1.3' seems to be a RedHat creation,
based on the output of 'rpm -q --changelog gzip':

* Mon Mar 20 2000 Bernhard Rosenkraenzer <bero () redhat com>

- 1.3
- handle RPM_OPT_FLAGS

* Tue Feb 15 2000 Cristian Gafton <gafton () redhat com>

- handle compressed man pages even better

* Tue Feb 08 2000 Cristian Gafton <gafton () redhat com>

- adopt patch from Paul Eggert to fix detection of the improper tables in
  inflate.c(huft_build)
- the latest released version 1.2.4a, which provides documentation updates
  only. But it lets us use small revision numbers again
- add an dirinfo entry for gzip.info so we can get rid of the ugly --entry
  args to install-info

I've opened Bug 56489 with bugzilla.redhat.com to address the fact that they
seem to have forked 1.3 but are still pointing at www.gzip.org.

The latest SRPM seems to be available at:

ftp://ftp.redhat.com/pub/redhat/linux/rawhide/SRPMS/SRPMS/gzip-1.3.1-1.src.rpm

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description: