From: Moritz Muehlenhoff Date: Sun, 10 Sep 2006 21:01:47 +0000 (+0000) Subject: Imported Debian patch 1.3.5-10sarge2 X-Git-Url: https://git.cworth.org/git?p=gzip;a=commitdiff_plain;h=8ba3484138b5d1e72fd4ef49d27159263cb6bea6 Imported Debian patch 1.3.5-10sarge2 --- diff --git a/debian/changelog b/debian/changelog index 58cd017..52d6a13 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +gzip (1.3.5-10sarge2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team: + * Fix several security problems discovered by Tavis Ormandy of Google: + - DoS through null pointer deference in the Huffman code (CVE-2006-4334) + - Out-of-bands stack write in LZH decompression code (CVE-2006-4335) + - Buffer overflow in pack code (CVE-2006-4336) + - Buffer overflow in LZH code (CVE-2006-4337) + - DoS through an infinite loop in LZH code (CVE-2006-4337) + (Patch by Thomas Biege of SuSe) + + -- Moritz Muehlenhoff Sun, 10 Sep 2006 21:01:47 +0000 + gzip (1.3.5-10sarge1) stable; urgency=low * merge patch from Matt Zimmerman for futex hang due to improper signal diff --git a/gzip.info b/gzip.info index 21a2d9f..ae999ae 100644 --- a/gzip.info +++ b/gzip.info @@ -1,6 +1,13 @@ -This is gzip.info, produced by makeinfo version 4.2 from gzip.texi. +This is gzip.info, produced by makeinfo version 4.7 from gzip.texi. -This manual is for Gzip (version 1.3.5, 29 September 2002), and +INFO-DIR-SECTION Utilities +START-INFO-DIR-ENTRY +* gzip: (gzip). The gzip command for compressing files. +END-INFO-DIR-ENTRY + + This file documents the GNU `gzip' command for compressing files. + + This manual is for Gzip (version 1.3.5, 10 September 2006), and documents commands for compressing and decompressing data. Copyright (C) 1998, 1999, 2001, 2002 Free Software Foundation, Inc. @@ -18,16 +25,6 @@ documents commands for compressing and decompressing data. (a) The FSF's Back-Cover Text is: "You have freedom to copy and modify this GNU Manual, like GNU software. Copies published by the Free Software Foundation raise funds for GNU development." - -INFO-DIR-SECTION Individual utilities -START-INFO-DIR-ENTRY -* gzip: (gzip)Invoking gzip. Compress files. -END-INFO-DIR-ENTRY - -INFO-DIR-SECTION Utilities -START-INFO-DIR-ENTRY -* Gzip: (gzip). The gzip command for compressing files. -END-INFO-DIR-ENTRY  File: gzip.info, Node: Top, Up: (dir) @@ -35,7 +32,9 @@ File: gzip.info, Node: Top, Up: (dir) Compressing Files ***************** -This manual is for Gzip (version 1.3.5, 29 September 2002), and +This file documents the GNU `gzip' command for compressing files. + + This manual is for Gzip (version 1.3.5, 10 September 2006), and documents commands for compressing and decompressing data. Copyright (C) 1998, 1999, 2001, 2002 Free Software Foundation, Inc. @@ -53,7 +52,7 @@ documents commands for compressing and decompressing data. (a) The FSF's Back-Cover Text is: "You have freedom to copy and modify this GNU Manual, like GNU software. Copies published by the Free Software Foundation raise funds for GNU development." - + * Menu: * Overview:: Preliminary information. @@ -69,10 +68,10 @@ documents commands for compressing and decompressing data.  File: gzip.info, Node: Overview, Next: Sample, Up: Top -Overview -******** +1 Overview +********** - `gzip' reduces the size of the named files using Lempel-Ziv coding +`gzip' reduces the size of the named files using Lempel-Ziv coding (LZ77). Whenever possible, each file is replaced by one with the extension `.gz', while keeping the same ownership modes, access and modification times. (The default extension is `-gz' for VMS, `z' for @@ -157,10 +156,10 @@ Format Specification version 1.3, Internet RFC 1951  File: gzip.info, Node: Sample, Next: Invoking gzip, Prev: Overview, Up: Top -Sample Output -************* +2 Sample Output +*************** - Here are some realistic examples of running `gzip'. +Here are some realistic examples of running `gzip'. This is the output of the command `gzip -h': @@ -199,10 +198,10 @@ destroying the original:  File: gzip.info, Node: Invoking gzip, Next: Advanced usage, Prev: Sample, Up: Top -Invoking `gzip' -*************** +3 Invoking `gzip' +***************** - The format for running the `gzip' program is: +The format for running the `gzip' program is: gzip OPTION ... @@ -305,6 +304,15 @@ Invoking `gzip' descend into the directory and compress all the files it finds there (or decompress them in the case of `gunzip'). +`--rsyncable' + While compressing, synchronize the output occasionally based on the + input. This increases size by less than 1 percent most cases, but + means that the `rsync' program can take advantage of similarities + in the uncompressed input when syncronizing two files compressed + with this flag. `gunzip' cannot tell the difference between a + compressed file created with this option, and one created without + it. + `--suffix SUF' `-S SUF' Use suffix `SUF' instead of `.gz'. Any suffix can be given, but @@ -345,13 +353,13 @@ Invoking `gzip'  File: gzip.info, Node: Advanced usage, Next: Environment, Prev: Invoking gzip, Up: Top -Advanced usage -************** +4 Advanced usage +**************** - Multiple compressed files can be concatenated. In this case, -`gunzip' will extract all members at once. If one member is damaged, -other members might still be recovered after removal of the damaged -member. Better compression can be usually obtained if all members are +Multiple compressed files can be concatenated. In this case, `gunzip' +will extract all members at once. If one member is damaged, other +members might still be recovered after removal of the damaged member. +Better compression can be usually obtained if all members are decompressed and then recompressed in a single step. This is an example of concatenating `gzip' files: @@ -397,10 +405,10 @@ replacement.  File: gzip.info, Node: Environment, Next: Tapes, Prev: Advanced usage, Up: Top -Environment -*********** +5 Environment +************* - The environment variable `GZIP' can hold a set of default options for +The environment variable `GZIP' can hold a set of default options for `gzip'. These options are interpreted first and can be overwritten by explicit command line parameters. For example: @@ -414,17 +422,16 @@ avoid a conflict with the symbol set for invocation of the program.  File: gzip.info, Node: Tapes, Next: Problems, Prev: Environment, Up: Top -Using `gzip' on tapes -********************* +6 Using `gzip' on tapes +*********************** - When writing compressed data to a tape, it is generally necessary to -pad the output with zeroes up to a block boundary. When the data is -read and the whole block is passed to `gunzip' for decompression, -`gunzip' detects that there is extra trailing garbage after the -compressed data and emits a warning by default if the garbage contains -nonzero bytes. You have to use the `--quiet' option to suppress the -warning. This option can be set in the `GZIP' environment variable, as -in: +When writing compressed data to a tape, it is generally necessary to pad +the output with zeroes up to a block boundary. When the data is read and +the whole block is passed to `gunzip' for decompression, `gunzip' +detects that there is extra trailing garbage after the compressed data +and emits a warning by default if the garbage contains nonzero bytes. +You have to use the `--quiet' option to suppress the warning. This +option can be set in the `GZIP' environment variable, as in: for sh: GZIP="-q" tar -xfz --block-compress /dev/rst0 for csh: (setenv GZIP "-q"; tar -xfz --block-compress /dev/rst0) @@ -437,10 +444,10 @@ of `tar') is used for reading and writing compressed data on tapes.  File: gzip.info, Node: Problems, Next: Copying This Manual, Prev: Tapes, Up: Top -Reporting Bugs -************** +7 Reporting Bugs +**************** - If you find a bug in `gzip', please send electronic mail to +If you find a bug in `gzip', please send electronic mail to . Include the version number, which you can find by running `gzip -V'. Also include in your message the hardware and operating system, the compiler used to compile `gzip', a description of @@ -449,8 +456,8 @@ the bug behavior, and the input to `gzip' that triggered the bug.  File: gzip.info, Node: Copying This Manual, Next: Concept Index, Prev: Problems, Up: Top -Copying This Manual -******************* +Appendix A Copying This Manual +****************************** * Menu: @@ -459,13 +466,14 @@ Copying This Manual  File: gzip.info, Node: GNU Free Documentation License, Up: Copying This Manual -GNU Free Documentation License -============================== +A.1 GNU Free Documentation License +================================== Version 1.1, March 2000 + Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA - + Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -815,10 +823,10 @@ GNU Free Documentation License you may choose any version ever published (not as a draft) by the Free Software Foundation. -ADDENDUM: How to use this License for your documents ----------------------------------------------------- +A.1.1 ADDENDUM: How to use this License for your documents +---------------------------------------------------------- - To use this License in a document you have written, include a copy of +To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page: @@ -844,34 +852,36 @@ permit their use in free software.  File: gzip.info, Node: Concept Index, Prev: Copying This Manual, Up: Top -Concept Index -************* +Appendix B Concept Index +************************ +[index] * Menu: -* bugs: Problems. -* concatenated files: Advanced usage. -* Environment: Environment. +* bugs: Problems. (line 6) +* concatenated files: Advanced usage. (line 6) +* Environment: Environment. (line 6) * FDL, GNU Free Documentation License: GNU Free Documentation License. -* invoking: Invoking gzip. -* options: Invoking gzip. -* overview: Overview. -* sample: Sample. -* tapes: Tapes. + (line 6) +* invoking: Invoking gzip. (line 6) +* options: Invoking gzip. (line 6) +* overview: Overview. (line 6) +* sample: Sample. (line 6) +* tapes: Tapes. (line 6)  Tag Table: -Node: Top1258 -Node: Overview2630 -Node: Sample7390 -Node: Invoking gzip9051 -Node: Advanced usage14032 -Node: Environment15621 -Node: Tapes16189 -Node: Problems17203 -Node: Copying This Manual17661 -Node: GNU Free Documentation License17877 -Node: Concept Index37741 +Node: Top1170 +Node: Overview2609 +Node: Sample7370 +Node: Invoking gzip9032 +Node: Advanced usage14463 +Node: Environment16053 +Node: Tapes16622 +Node: Problems17637 +Node: Copying This Manual18096 +Node: GNU Free Documentation License18334 +Node: Concept Index38211  End Tag Table diff --git a/inflate.c b/inflate.c index 429716c..cfb0d57 100644 --- a/inflate.c +++ b/inflate.c @@ -337,7 +337,7 @@ int *m; /* maximum lookup bits, returns actual */ { *t = (struct huft *)NULL; *m = 0; - return 0; + return 2; } diff --git a/stamp-vti b/stamp-vti index 6996ff7..8f612b6 100644 --- a/stamp-vti +++ b/stamp-vti @@ -1,4 +1,4 @@ -@set UPDATED 29 September 2002 -@set UPDATED-MONTH September 2002 +@set UPDATED 10 September 2006 +@set UPDATED-MONTH September 2006 @set EDITION 1.3.5 @set VERSION 1.3.5 diff --git a/unlzh.c b/unlzh.c index b1c6ac6..7a88fee 100644 --- a/unlzh.c +++ b/unlzh.c @@ -69,11 +69,7 @@ local void make_table OF((int nchar, uch bitlen[], #define NT (CODE_BIT + 3) #define PBIT 4 /* smallest integer such that (1U << PBIT) > NP */ #define TBIT 5 /* smallest integer such that (1U << TBIT) > NT */ -#if NT > NP -# define NPT NT -#else -# define NPT NP -#endif +#define NPT (1< 1 << tablebits) + error("Bad table\n"); for (i = start[len]; i < nextcode; i++) table[i] = ch; } else { k = start[len]; @@ -223,6 +221,8 @@ local void read_pt_len(nn, nbit, i_special) if (c == 7) { mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3); while (mask & bitbuf) { mask >>= 1; c++; } + if (c > 16) + error("Bad table\n"); } fillbuf((c < 7) ? 3 : c - 3); pt_len[i++] = c; diff --git a/unpack.c b/unpack.c index 00dae74..b1f3ef3 100644 --- a/unpack.c +++ b/unpack.c @@ -97,6 +97,7 @@ local void read_tree() int len; /* bit length */ int base; /* base offset for a sequence of leaves */ int n; + int max_leaves; /* Read the original input size, MSB first */ orig_len = 0; @@ -109,11 +110,15 @@ local void read_tree() /* Get the number of leaves at each bit length */ n = 0; + max_leaves = 1; for (len = 1; len <= max_len; len++) { leaves[len] = (int)get_byte(); + if (leaves[len] > max_leaves - (len == max_len)) + error("too many leaves in Huffman tree"); + max_leaves = (max_leaves - leaves[len] + 1) * 2 - 1; n += leaves[len]; } - if (n > LITERALS) { + if (n >= LITERALS) { error("too many leaves in Huffman tree"); } Trace((stderr, "orig_len %lu, max_len %d, leaves %d\n", diff --git a/version.texi b/version.texi index 6996ff7..8f612b6 100644 --- a/version.texi +++ b/version.texi @@ -1,4 +1,4 @@ -@set UPDATED 29 September 2002 -@set UPDATED-MONTH September 2002 +@set UPDATED 10 September 2006 +@set UPDATED-MONTH September 2006 @set EDITION 1.3.5 @set VERSION 1.3.5