As I mentioned in IRC: I can probably easily shave another 2½K off .text
by removing stub support for multiple compressors and using the gzopen()
API already shipped by klibc.
Note that klibc bundles zlib 1.2.3 whereas even MirBSD has 1.2.8
already. That would also need updating. But at least, MirBSD compress
uses zlib for gzip I/O instead of bundling its own inflate/deflate
functions as GNU gzip does.
All is 2-clause and 3-clause BSD and MIT licence.
** Also affects: klibc
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to klibc in Ubuntu.
https://bugs.launchpad.net/bugs/1358762
Title:
Included gzip 1.2.4 has several vulnerabilities
Status in klibc:
New
Status in “klibc” package in Ubuntu:
Confirmed
Bug description:
The included gzip version is quite old (version 1.2.4) and has several
security vulnerabilities.
Check http://web.nvd.nist.gov/view/vuln/search-
results?adv_search=true&cves=on&cpe_version=cpe:/a:gnu:gzip:1.2.4 for
example.
I explicitly checked for CVE-2001-1228, which was not fixed by a patch
in the klibc package, so I assume the other vulnerabilities are not
fixed either.
I think it would be a good idea to update the included gzip to a
current version.
To manage notifications about this bug go to:
https://bugs.launchpad.net/klibc/+bug/1358762/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
