gzip-1.2.4b

[markh@…]

This is important. There's a buffer overflow in gzip-1.2.4a which presents a security risk. Suggest we move to gzip-1.2.4b before LFS-3.2 is released.

[gerard@…]

how did i end up closing this one...wanted to assign it to me

[gerard@…]

I don't seen an officially released 1.2.4b version anywhere on ftp.gnu.org I did find via freshmeat a Debian related article relating to gzip and there's a gzip patch on the Debian site. I'm not going to provide two gzip patches (one to fix the compile problem, one to fix the security problem), they may not even work together.

From what I have read, the security hole isn't all that serious so I'll leave this to be dealt with for after LFS-3.2 so we can investigate better and perhaps combine the two patches into on.

[markh@…]

the patch is available from www.gzip.org (the official gzip homepage) and is designed to be applied to gzip-1.2.4a. They are saying that there'll be a complete new official version of gzip coming out soon so maybe we can just leave it for 3.2 and hope that gzip-1.4.x comes out before 3.3.

[gerard@…]

okay we'll do that, makes it easier for me now. All P1 bugs are gone, I'll check for obvious glaring errors then release lfs-3.2-rc1

[gimli@…]

3.3 is released now, have we decided yet what to do with this one? I'd say leave it as long as possible, but when there's still no new gzip out when we're getting ready for 4.0, use it.

[gerard@…]

Sounds good to me

[timothy@…]

Added gzip-1.2.4b to book, closing this bug.