[Touch-packages] [Bug 1358762] Re: Included gzip 1.2.4 has several vulnerabilities
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-1228 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to klibc in Ubuntu. https://bugs.launchpad.net/bugs/1358762 Title: Included gzip 1.2.4 has several vulnerabilities Status in klibc: New Status in klibc package in Ubuntu: Confirmed Bug description: The included gzip version is quite old (version 1.2.4) and has several security vulnerabilities. Check http://web.nvd.nist.gov/view/vuln/search- results?adv_search=true=on_version=cpe:/a:gnu:gzip:1.2.4 for example. I explicitly checked for CVE-2001-1228, which was not fixed by a patch in the klibc package, so I assume the other vulnerabilities are not fixed either. I think it would be a good idea to update the included gzip to a current version. To manage notifications about this bug go to: https://bugs.launchpad.net/klibc/+bug/1358762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1358762] Re: Included gzip 1.2.4 has several vulnerabilities
Will this security vulnerability get fixed at all? I realize that the impact is pretty small, because someone would have to explicitly use the gzip binary provided with klibc. But even the new klibc package in trusty/utopic/vivid still contains the old 1.2.4 version of gzip. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to klibc in Ubuntu. https://bugs.launchpad.net/bugs/1358762 Title: Included gzip 1.2.4 has several vulnerabilities Status in “klibc” package in Ubuntu: Confirmed Bug description: The included gzip version is quite old (version 1.2.4) and has several security vulnerabilities. Check http://web.nvd.nist.gov/view/vuln/search- results?adv_search=truecves=oncpe_version=cpe:/a:gnu:gzip:1.2.4 for example. I explicitly checked for CVE-2001-1228, which was not fixed by a patch in the klibc package, so I assume the other vulnerabilities are not fixed either. I think it would be a good idea to update the included gzip to a current version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/klibc/+bug/1358762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1358762] Re: Included gzip 1.2.4 has several vulnerabilities
I have just looked at whether gzip can be replaced by BSD compress(1), which is a drop-in replacement under a more free licence, but even after adding fts and a lot of BSD functions it still needs funopen() which klibc doesn’t have ☹ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to klibc in Ubuntu. https://bugs.launchpad.net/bugs/1358762 Title: Included gzip 1.2.4 has several vulnerabilities Status in “klibc” package in Ubuntu: Confirmed Bug description: The included gzip version is quite old (version 1.2.4) and has several security vulnerabilities. Check http://web.nvd.nist.gov/view/vuln/search- results?adv_search=truecves=oncpe_version=cpe:/a:gnu:gzip:1.2.4 for example. I explicitly checked for CVE-2001-1228, which was not fixed by a patch in the klibc package, so I assume the other vulnerabilities are not fixed either. I think it would be a good idea to update the included gzip to a current version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/klibc/+bug/1358762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1358762] Re: Included gzip 1.2.4 has several vulnerabilities
Nevermind. I hacked MirBSD compress to omit the BSD compress method (so it only does gzip), and replaced a few more things, and got a working gzip/gunzip under BSD licence. If there is any interest in the klibc side to include that, be my guest. Sizes are nice, too (dynamically linked): tglase@tglase:~/mbsd/src/usr.bin/compress $ size /usr/lib/klibc/bin/gzip obj/compress textdata bss dec hex filename 258283016 316552 345396 54534 /usr/lib/klibc/bin/gzip 18802 04208 2301059e2 obj/compress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to klibc in Ubuntu. https://bugs.launchpad.net/bugs/1358762 Title: Included gzip 1.2.4 has several vulnerabilities Status in “klibc” package in Ubuntu: Confirmed Bug description: The included gzip version is quite old (version 1.2.4) and has several security vulnerabilities. Check http://web.nvd.nist.gov/view/vuln/search- results?adv_search=truecves=oncpe_version=cpe:/a:gnu:gzip:1.2.4 for example. I explicitly checked for CVE-2001-1228, which was not fixed by a patch in the klibc package, so I assume the other vulnerabilities are not fixed either. I think it would be a good idea to update the included gzip to a current version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/klibc/+bug/1358762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1358762] Re: Included gzip 1.2.4 has several vulnerabilities
As I mentioned in IRC: I can probably easily shave another 2½K off .text by removing stub support for multiple compressors and using the gzopen() API already shipped by klibc. Note that klibc bundles zlib 1.2.3 whereas even MirBSD has 1.2.8 already. That would also need updating. But at least, MirBSD compress uses zlib for gzip I/O instead of bundling its own inflate/deflate functions as GNU gzip does. All is 2-clause and 3-clause BSD and MIT licence. ** Also affects: klibc Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to klibc in Ubuntu. https://bugs.launchpad.net/bugs/1358762 Title: Included gzip 1.2.4 has several vulnerabilities Status in klibc: New Status in “klibc” package in Ubuntu: Confirmed Bug description: The included gzip version is quite old (version 1.2.4) and has several security vulnerabilities. Check http://web.nvd.nist.gov/view/vuln/search- results?adv_search=truecves=oncpe_version=cpe:/a:gnu:gzip:1.2.4 for example. I explicitly checked for CVE-2001-1228, which was not fixed by a patch in the klibc package, so I assume the other vulnerabilities are not fixed either. I think it would be a good idea to update the included gzip to a current version. To manage notifications about this bug go to: https://bugs.launchpad.net/klibc/+bug/1358762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1358762] Re: Included gzip 1.2.4 has several vulnerabilities
** Information type changed from Private Security to Public Security ** Changed in: klibc (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to klibc in Ubuntu. https://bugs.launchpad.net/bugs/1358762 Title: Included gzip 1.2.4 has several vulnerabilities Status in “klibc” package in Ubuntu: Confirmed Bug description: The included gzip version is quite old (version 1.2.4) and has several security vulnerabilities. Check http://web.nvd.nist.gov/view/vuln/search- results?adv_search=truecves=oncpe_version=cpe:/a:gnu:gzip:1.2.4 for example. I explicitly checked for CVE-2001-1228, which was not fixed by a patch in the klibc package, so I assume the other vulnerabilities are not fixed either. I think it would be a good idea to update the included gzip to a current version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/klibc/+bug/1358762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp