Debian Security Advisory

DSA-100-1 gzip -- Potential buffer overflow

Date Reported:

13 Jan 2002

Affected Packages:

gzip

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2001-1228.

More information:

GOBBLES found a buffer overflow in gzip that occurs when compressing files with really long filenames. Even though GOBBLES claims to have developed an exploit to take advantage of this bug, it has been said by others that this problem is not likely to be exploitable as other security incidents.

Additionally, the Debian version of gzip from the stable release does not segfault, and hence does not directly inherit this problem. However, better be safe than sorry, so we have prepared an update for you.

Please make sure you are running an up-to-date version from stable/unstable/testing with at least version 1.2.4-33.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:: http://security.debian.org/dists/stable/updates/main/source/gzip_1.2.4-33.1.diff.gz; http://security.debian.org/dists/stable/updates/main/source/gzip_1.2.4-33.1.dsc; http://security.debian.org/dists/stable/updates/main/source/gzip_1.2.4.orig.tar.gz
Alpha:: http://security.debian.org/dists/stable/updates/main/binary-alpha/gzip_1.2.4-33.1_alpha.deb
ARM:: http://security.debian.org/dists/stable/updates/main/binary-arm/gzip_1.2.4-33.1_arm.deb
Intel ia32:: http://security.debian.org/dists/stable/updates/main/binary-i386/gzip_1.2.4-33.1_i386.deb
Motorola 680x0:: http://security.debian.org/dists/stable/updates/main/binary-m68k/gzip_1.2.4-33.1_m68k.deb
PowerPC:: http://security.debian.org/dists/stable/updates/main/binary-powerpc/gzip_1.2.4-33.1_powerpc.deb
Sun Sparc:: http://security.debian.org/dists/stable/updates/main/binary-sparc/gzip_1.2.4-33.1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.