1 gzip (1.3.5-10sarge2) stable-security; urgency=high
3 * Non-maintainer upload by the Security Team:
4 * Fix several security problems discovered by Tavis Ormandy of Google:
5 - DoS through null pointer deference in the Huffman code (CVE-2006-4334)
6 - Out-of-bands stack write in LZH decompression code (CVE-2006-4335)
7 - Buffer overflow in pack code (CVE-2006-4336)
8 - Buffer overflow in LZH code (CVE-2006-4337)
9 - DoS through an infinite loop in LZH code (CVE-2006-4337)
10 (Patch by Thomas Biege of SuSe)
12 -- Moritz Muehlenhoff <jmm@debian.org> Sun, 10 Sep 2006 21:01:47 +0000
14 gzip (1.3.5-10sarge1) stable; urgency=low
16 * merge patch from Matt Zimmerman for futex hang due to improper signal
17 handling, closes: #310053, #315612
18 * backport to stable since this problem affects several debian.org servers
20 -- Bdale Garbee <bdale@gag.com> Tue, 8 Nov 2005 22:25:19 -0700
22 gzip (1.3.5-10) unstable; urgency=medium
24 * remove PAGER reference from zmore.1, closes: #263792
25 * patch to improve zgrep argument sanitizing (CAN-2005-0758),
27 * patch isolated by Petter Reinholdtsen for CAN-2005-0988, closes: #303927
28 * patch for dir traversal bug (CAN-2005-1228), closes: #305255
29 * up the priority a click because of the security fixes
30 * patch to support cross building, closes: #283730
32 -- Bdale Garbee <bdale@gag.com> Fri, 20 May 2005 22:34:49 -0600
34 gzip (1.3.5-9) unstable; urgency=low
36 * eliminate the autoconf and automake build dependencies, since they are
37 no longer needed, closes: #250766
38 * improve temp file usage in gzexe, closes: #257314, #259043
39 * have zmore use 'more' instead of honoring $PAGER, to avoid violating
40 the principle of least astonishment, closes: #234212
41 * fix zgrep choke on filenames including a pipe character, closes: #216211
42 * incorporate watch file, closes: #248722
43 * suggest less, since we provide zless, closes: #217925
44 * use signames instead of signumbers for trap calls, closes: #259284
46 -- Bdale Garbee <bdale@gag.com> Sat, 24 Jul 2004 01:23:03 -0600
48 gzip (1.3.5-8) unstable; urgency=low
50 * run autoreconf -i to address problem reported with dir.old.gz being
51 included on rebuilds, closes: #249519
52 * change automake build dependency from automake1.7 to automaken
53 * add lintian overrides to squelch the hardlink warnings
54 * fix typo in inflate.c comments, closes: #201881
56 -- Bdale Garbee <bdale@gag.com> Sun, 23 May 2004 01:07:03 -0600
58 gzip (1.3.5-7) unstable; urgency=low
60 * patch from David Mosberger to incorporate work done by Sverre Jarp on
61 an ia64 version of match.c content.
63 -- Bdale Garbee <bdale@gag.com> Thu, 10 Jul 2003 08:45:27 -0600
65 gzip (1.3.5-6) unstable; urgency=medium
67 * patch for insecure temp file usage in znew, closes: #193375
69 -- Bdale Garbee <bdale@gag.com> Sat, 7 Jun 2003 09:05:11 -0600
71 gzip (1.3.5-5) unstable; urgency=low
73 * apply patch from Anthony Towns that fixes seg faults on alpha during
74 build of Xfree86 at the expense of slightly decreasing the effectiveness
75 of the deflate implementation. closes: #184057, #187417
77 -- Bdale Garbee <bdale@gag.com> Wed, 16 Apr 2003 11:24:23 -0600
79 gzip (1.3.5-4) unstable; urgency=low
81 * merge patch from Rusty Russell that adds --rsyncable option to gzip.
82 This modifies the output stream to allow rsync to transfer updated .gz
83 files much more effectively. The resulting .gz files should be compatible
84 with the existing gunzip. The plan is that if this works out well for
85 Debian, the functionality will be included in a future upstream gzip
86 release. Closes: #116183, #118118, #134741
88 -- Bdale Garbee <bdale@gag.com> Thu, 13 Feb 2003 23:50:23 -0700
90 gzip (1.3.5-3) unstable; urgency=low
92 * upload a fresh version so m68k, et al, will rebuild, closes: #167790
94 -- Bdale Garbee <bdale@gag.com> Wed, 6 Nov 2002 16:13:42 -0700
96 gzip (1.3.5-2) unstable; urgency=low
98 * fix gzexe.in again as per what I did for 1.3.2-3 that accidentally got
99 lost when I merged 1.3.5 from upstream... sigh. Closes: #167150
100 * hack on gzip.texi a little harder to squelch warning at install time from
101 Debian's install-info, closes: #164106
103 -- Bdale Garbee <bdale@gag.com> Wed, 30 Oct 2002 20:21:42 -0700
105 gzip (1.3.5-1) unstable; urgency=low
107 * new upstream version
108 * fixes a bug in the incorrect-suffix diagnostic, which can lead to a
109 core dump, closes: #152579
110 * removes dangling output symlinks properly, closes: #144759
111 * zless no longer thinks it is zmore in usage message, closes: #121810
112 * zless replaced with a much simpler script, closes: #124097
113 * uses shell pattern matching instead of 'expr', closes: #123295
114 * man page suggests how to use gunzip on zip files, closes: #146019
115 * uses "trap -" to avoid bashism, closes: #140972, #157111
116 * accepts __i386 and __i386__ as synonyms for i386, closes: #152694
117 * fixes printing values greater than 10 * 2**32 bytes, closes: #141189
118 * includes fix for zforce needing -v, closes: #123294
119 * hack gzip.texi so that the Debian install-info doesn't choke on it (grrr),
120 and add texinfo as a build dependency
121 * eliminate things hard-coded in postinst and prerm now handled by debhelper
123 -- Bdale Garbee <bdale@gag.com> Wed, 9 Oct 2002 09:05:27 -0600
125 gzip (1.3.2-3) unstable; urgency=low
127 * modify gzexe.in to hard-code /bin/gzip instead of trying to use BINDIR
128 which yields /usr/bin/gzip. Don't use PATH since we have no idea what it
129 might be when the gzexe'd executable gets run. Closes: #119641
131 -- Bdale Garbee <bdale@gag.com> Wed, 14 Nov 2001 23:00:59 -0700
133 gzip (1.3.2-2) unstable; urgency=low
135 * fix silly mistake made when moving man pages from hard to soft links, so
136 man pages for zegrep, zfgrep, and uncompress work again, closes: #118325
138 -- Bdale Garbee <bdale@gag.com> Mon, 5 Nov 2001 00:53:40 -0700
140 gzip (1.3.2-1) unstable; urgency=low
142 * new upstream release, incorporating my diffs to 1.3.1
144 -- Bdale Garbee <bdale@gag.com> Sun, 4 Nov 2001 09:47:40 -0700
146 gzip (1.3.1-2) unstable; urgency=low
148 * add build dependencies on autoconf and automake
149 * fix infodir spec so we install in the build tree, not the system directory
151 -- Bdale Garbee <bdale@gag.com> Sat, 3 Nov 2001 02:18:06 -0700
153 gzip (1.3.1-1) unstable; urgency=low
155 * new upstream version! From alpha.gnu.org, on the explicit advice of the
156 current upstream maintainers, who are working with Debian to prepare a new
157 stable release that addresses many of the open issues in our BTS.
159 large file support handled in configure, closes: #108612, #83061, #113000
160 it appears the subtle problem with concatenation is fixed, closes: #114591
161 various segfault problems appear fixed, closes: #46312
162 gzip -r issues fixed, closes: #53645, #106186
163 problem with --no-filename option fixed, closes: #59067
164 zgrep -r disallowed - "I did not use the patch as it was not a complete
165 . fix for the problem and I thought it would cause more problems than
166 . it would cure. Instead, I simply disallowed zgrep -r", closes: #81288
167 error message reworded, closes: #76238
168 compression factor output fixed, closes: #80362
169 zgrep -H fixed, closes: #84371
170 permission issue when forced to compress linked file fixed, closes: #88918
171 manpage hardlinks fixed, closes: #94733
172 gzip --help now goes to stdout, closes: #97020
173 zless no longer runs less if file doesn't exist, closes: #109097
174 problem with -best fixed, closes: #17650
175 zgrep now understands --, closes: #28475
176 file size output by gzip fixed for large files, closes: #40721
177 * fix location referenced for GPL on Debian systems, closes: #112095
178 * move install-info remove call from from postrm to prerm
180 -- Bdale Garbee <bdale@gag.com> Sat, 3 Nov 2001 01:01:02 -0700
182 gzip (1.2.4-33) unstable; urgency=low
184 * update to current policy
186 -- Bdale Garbee <bdale@gag.com> Thu, 2 Dec 1999 01:10:58 -0700
188 gzip (1.2.4-32) unstable; urgency=low
190 * update prototype for and definition of basename function for compatibility
191 with glibc2.0, still in use on m68k. Closes: #45058
193 -- Bdale Garbee <bdale@gag.com> Wed, 15 Sep 1999 02:01:47 -0600
195 gzip (1.2.4-31) unstable; urgency=medium
197 * fix problems I induced while merging the upstream patch in the last upload,
198 most notably omitting zless from the package.
199 Closes: #44883, #44885, #44890, #44882, #44887, #44895, #44896
201 -- Bdale Garbee <bdale@gag.com> Sun, 12 Sep 1999 12:06:00 -0600
203 gzip (1.2.4-30) unstable; urgency=low
205 * upstream patch, closes: #28872
206 1998-11-18 Paul Eggert <eggert@twinsun.com>
207 gzip.c (get_method): Don't complain about trailing zeros at
208 the end of a gzipped file, as they're commonly appended to fill
209 out a block (e.g. by GNU tar).
210 * update to FHS compliance
212 -- Bdale Garbee <bdale@gag.com> Fri, 10 Sep 1999 21:34:07 -0600
214 gzip (1.2.4-29) unstable; urgency=low
216 * apply patch from Vincent Renardias that improves behavior when trying to
217 decompress a corrupted .gz file. Closes 7472, 16385
219 -- Bdale Garbee <bdale@gag.com> Wed, 27 Jan 1999 20:50:12 -0700
221 gzip (1.2.4-28) frozen unstable; urgency=medium
223 * patch zforce to make it work at all, closes 22760
224 * patch to fix decompression of concatenated gzip files, closes 30537
226 -- Bdale Garbee <bdale@gag.com> Fri, 22 Jan 1999 10:43:09 -0700
228 gzip (1.2.4-27) frozen unstable; urgency=low
230 * patch from Jean-loup (upstream maintainer) for zgrep.in to fix the
231 problems with -A and -B successfully passing to grep. Closes 21209.
233 -- Bdale Garbee <bdale@gag.com> Sat, 25 Apr 1998 22:47:15 -0600
235 gzip (1.2.4-26) frozen unstable; urgency=low
237 * fix FSF address in copyright file, lintian now reports no errors
238 * minor tweak to Makefile to fix warnings during dh_installmanpages run
240 -- Bdale Garbee <bdale@gag.com> Tue, 24 Mar 1998 00:40:48 -0700
242 gzip (1.2.4-25) frozen unstable; urgency=low
244 * update znew.in and zdiff.in to do save tempfile handling, closes 19794
246 -- Bdale Garbee <bdale@gag.com> Sat, 21 Mar 1998 23:48:26 -0700
248 gzip (1.2.4-24) unstable; urgency=low
250 * minor fix for complaints about short files, closes 19159
252 -- Bdale Garbee <bdale@gag.com> Wed, 11 Mar 1998 02:21:50 -0700
254 gzip (1.2.4-23) unstable; urgency=high
256 * respond to security advisory from Alan Cox via Christian Hudon, fixes
257 an obscure possibility to get gzip to execute code
259 -- Bdale Garbee <bdale@gag.com> Wed, 11 Mar 1998 02:16:59 -0700
261 gzip (1.2.4-22) unstable; urgency=high
263 * gzexe modified to use tempfile in response to security advisory
265 -- Bdale Garbee <bdale@gag.com> Sat, 31 Jan 1998 14:30:20 -0700
267 gzip (1.2.4-21) unstable; urgency=low
269 * fix from the upstream maintainer for voluminous "Broken Pipe" messages
270 when using 'zgrep -l' or equivalent. Closes bug 15178.
272 -- Bdale Garbee <bdale@gag.com> Sun, 4 Jan 1998 00:56:21 -0700
274 gzip (1.2.4-20) unstable; urgency=low
276 * freshen rules file to match current debhelper
277 * improve handling of undocumented executables. Closes bug 13578.
279 -- Bdale Garbee <bdale@gag.com> Sun, 4 Jan 1998 00:56:21 -0700
281 gzip (1.2.4-19) unstable; urgency=low
283 * change dependency to Pre-Depends, to keep dpkg from getting hosed during
284 libc6 upgrades. Closes 15091.
285 * switch from debmake to debhelper. In the process, closes 15412.
287 -- Bdale Garbee <bdale@gag.com> Mon, 8 Dec 1997 23:42:49 -0700
289 gzip (1.2.4-18) unstable; urgency=low
291 * don't install INSTALL in the doc directory, closes bug 13224.
293 -- Bdale Garbee <bdale@gag.com> Fri, 5 Sep 1997 15:06:35 -0600
295 gzip (1.2.4-17) unstable; urgency=low
297 * fix distribution problem in changelog file
299 -- Bdale Garbee <bdale@gag.com> Fri, 5 Sep 1997 15:06:35 -0600
301 gzip (1.2.4-16) stable frozen unstable; urgency=low
304 * tweaks to rules file to install Changelog, closes bug 12488
306 -- Bdale Garbee <bdale@gag.com> Thu, 4 Sep 1997 22:46:28 -0600
308 gzip (1.2.4-15) stable frozen unstable; urgency=low
310 * fix minor security issue - race condition reported on bugtraq list
311 * rework debian/rules to build with debugging then strip
313 -- Bdale Garbee <bdale@gag.com> Fri, 14 Mar 1997 21:14:44 -0700
315 gzip (1.2.4-14) stable frozen unstable; urgency=medium
317 * The -13 upload was built against a libc5 too new for 'stable'.
319 -- Bdale Garbee <bdale@gag.com> Thu, 28 Nov 1996 11:37:31 -0700
321 gzip (1.2.4-13) stable frozen unstable; urgency=medium
323 * Fix missing "essential" flag on package, lost during standards update.
324 * Push this version back into stable to solve the 'compress' link problem.
326 -- Bdale Garbee <bdale@gag.com> Tue, 19 Nov 1996 09:14:14 -0700
328 gzip (1.2.4-12) unstable; urgency=low
332 -- Bdale Garbee <bdale@gag.com> Sat, 02 Nov 1996 14:47:42 -0800
335 Thu Jul 18 01:30:22 MDT 1996 Bdale Garbee <bdale@gag.com>
337 * add zegrep and zfgrep links in /usr/bin (Bug#3326)
338 * add an extended description (Bug#3591)
339 * tweak control files to use dpkg-name, etc.
341 Fri May 24 07:37:54 MDT 1996 Bdale Garbee <bdale@gag.com>
343 * don't provide a 'compress' link since it breaks things, but provide
344 an 'uncompress' link since it's useful.
345 * fix some administrivia
347 Sun Apr 14 20:39:19 MDT 1996 Bdale Garbee <bdale@gag.com>
349 * change gzexe.in to not use BINDIR, but assume gzip is in PATH
350 * add Architecture field in the control file
352 Wed Jan 17 00:07:00 MST 1996 Bdale Garbee <bdale@gag.com>
354 * switch targets in the Makefile to also install the links called
355 'compress' and 'uncompress' since some utilities care about these,
356 and we're unlikely to ever have a 'compress' package because of the
357 intellectual property issues.
359 Sat Dec 2 23:45:40 MST 1995 Bdale Garbee <bdale@gag.com>
362 * add 'zless' as a near-clone of 'zmore', closes bug 1776
363 * unable to duplicate bug 1090, something has improved since then?
364 * add libc5 dependency