RHSA-2006:0667-01 Moderate: gzip security update
Posted on: 09/19/2006 03:40 PM

A new update is available for Red Hat Enterprise Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Moderate: gzip security update
Advisory ID: RHSA-2006:0667-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0667.html
Issue date: 2006-09-19
Updated on: 2006-09-19
Product: Red Hat Enterprise Linux
CVE Names: CVE-2006-4334 CVE-2006-4335 CVE-2006-4336
CVE-2006-4337 CVE-2006-4338
- ---------------------------------------------------------------------

1. Summary:

Updated gzip packages that fix several security issues are now available
for Red Hat Enterprise Linux.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

The gzip package contains the GNU gzip data compression program.

Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash. (CVE-2006-4334, CVE-2006-4338)

Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337)

Users of gzip should upgrade to these updated packages, which contain a
backported patch and is not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

204676 - CVE-2006-4334 gzip multiple issues (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338)

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/gzip-1.3-19.rhel2.src.rpm
ad45a2b7d359191e2d09ea99576e2dc7 gzip-1.3-19.rhel2.src.rpm

i386:
74ea72195027b0a56065882957ae6aed gzip-1.3-19.rhel2.i386.rpm

ia64:
221b875805ccab0bbaa150664a26ce50 gzip-1.3-19.rhel2.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/gzip-1.3-19.rhel2.src.rpm
ad45a2b7d359191e2d09ea99576e2dc7 gzip-1.3-19.rhel2.src.rpm

ia64:
221b875805ccab0bbaa150664a26ce50 gzip-1.3-19.rhel2.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/gzip-1.3-19.rhel2.src.rpm
ad45a2b7d359191e2d09ea99576e2dc7 gzip-1.3-19.rhel2.src.rpm

i386:
74ea72195027b0a56065882957ae6aed gzip-1.3-19.rhel2.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/gzip-1.3-19.rhel2.src.rpm
ad45a2b7d359191e2d09ea99576e2dc7 gzip-1.3-19.rhel2.src.rpm

i386:
74ea72195027b0a56065882957ae6aed gzip-1.3-19.rhel2.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/gzip-1.3.3-13.rhel3.src.rpm
6bf7ab261a159f83cfe587e77314e95c gzip-1.3.3-13.rhel3.src.rpm

i386:
842a7c1efcb3ad77701b64413e54408b gzip-1.3.3-13.rhel3.i386.rpm
b8c31ac57e21170bf8cb2337f17ec063 gzip-debuginfo-1.3.3-13.rhel3.i386.rpm

ia64:
f8d04b7ae735d4e84213bf0bfdfcc7b4 gzip-1.3.3-13.rhel3.ia64.rpm
86864caa406a8d1989c8cea8f013f1a9 gzip-debuginfo-1.3.3-13.rhel3.ia64.rpm

ppc:
391f0bf7e9fdea0f44c31518603a35a2 gzip-1.3.3-13.rhel3.ppc.rpm
cdecf26b0d6a8f4623c7837c428f40dd gzip-debuginfo-1.3.3-13.rhel3.ppc.rpm

s390:
836385ed074828038b67360c5b019c07 gzip-1.3.3-13.rhel3.s390.rpm
431eb4312e7e41af9c94af02799f72ca gzip-debuginfo-1.3.3-13.rhel3.s390.rpm

s390x:
b1a0e78bc41851a871649871ad3fa3e7 gzip-1.3.3-13.rhel3.s390x.rpm
2061e12c712ea980416aa9cf3af16842 gzip-debuginfo-1.3.3-13.rhel3.s390x.rpm

x86_64:
565eecd82fbe55386cdf228fccdfaecc gzip-1.3.3-13.rhel3.x86_64.rpm
6f912a76a999a87785c8d59fcd0f0770 gzip-debuginfo-1.3.3-13.rhel3.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/gzip-1.3.3-13.rhel3.src.rpm
6bf7ab261a159f83cfe587e77314e95c gzip-1.3.3-13.rhel3.src.rpm

i386:
842a7c1efcb3ad77701b64413e54408b gzip-1.3.3-13.rhel3.i386.rpm
b8c31ac57e21170bf8cb2337f17ec063 gzip-debuginfo-1.3.3-13.rhel3.i386.rpm

x86_64:
565eecd82fbe55386cdf228fccdfaecc gzip-1.3.3-13.rhel3.x86_64.rpm
6f912a76a999a87785c8d59fcd0f0770 gzip-debuginfo-1.3.3-13.rhel3.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/gzip-1.3.3-13.rhel3.src.rpm
6bf7ab261a159f83cfe587e77314e95c gzip-1.3.3-13.rhel3.src.rpm

i386:
842a7c1efcb3ad77701b64413e54408b gzip-1.3.3-13.rhel3.i386.rpm
b8c31ac57e21170bf8cb2337f17ec063 gzip-debuginfo-1.3.3-13.rhel3.i386.rpm

ia64:
f8d04b7ae735d4e84213bf0bfdfcc7b4 gzip-1.3.3-13.rhel3.ia64.rpm
86864caa406a8d1989c8cea8f013f1a9 gzip-debuginfo-1.3.3-13.rhel3.ia64.rpm

x86_64:
565eecd82fbe55386cdf228fccdfaecc gzip-1.3.3-13.rhel3.x86_64.rpm
6f912a76a999a87785c8d59fcd0f0770 gzip-debuginfo-1.3.3-13.rhel3.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/gzip-1.3.3-13.rhel3.src.rpm
6bf7ab261a159f83cfe587e77314e95c gzip-1.3.3-13.rhel3.src.rpm

i386:
842a7c1efcb3ad77701b64413e54408b gzip-1.3.3-13.rhel3.i386.rpm
b8c31ac57e21170bf8cb2337f17ec063 gzip-debuginfo-1.3.3-13.rhel3.i386.rpm

ia64:
f8d04b7ae735d4e84213bf0bfdfcc7b4 gzip-1.3.3-13.rhel3.ia64.rpm
86864caa406a8d1989c8cea8f013f1a9 gzip-debuginfo-1.3.3-13.rhel3.ia64.rpm

x86_64:
565eecd82fbe55386cdf228fccdfaecc gzip-1.3.3-13.rhel3.x86_64.rpm
6f912a76a999a87785c8d59fcd0f0770 gzip-debuginfo-1.3.3-13.rhel3.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/gzip-1.3.3-16.rhel4.src.rpm
5648a7b9c26a7cf20f98dc7ec35babf5 gzip-1.3.3-16.rhel4.src.rpm

i386:
49ccf9c31fa89e32612e6842e56725a8 gzip-1.3.3-16.rhel4.i386.rpm
16d9a5de520b30b2f097c9763eeed1e0 gzip-debuginfo-1.3.3-16.rhel4.i386.rpm

ia64:
85f98bebe3367e17b608317cb3241f27 gzip-1.3.3-16.rhel4.ia64.rpm
d9036a2e65f0f0c62fa6d891b8ddc61f gzip-debuginfo-1.3.3-16.rhel4.ia64.rpm

ppc:
06e9cdaacd44994bf34c2e701676f154 gzip-1.3.3-16.rhel4.ppc.rpm
600dfab31ce680a8dbd17dde052838f3 gzip-debuginfo-1.3.3-16.rhel4.ppc.rpm

s390:
821f36266c7b91cf4b8dc9ec50280c76 gzip-1.3.3-16.rhel4.s390.rpm
c0d9df3213c1e4c87a6434420bf1a2cb gzip-debuginfo-1.3.3-16.rhel4.s390.rpm

s390x:
364d5e60560ab8c6e47580da67cc1921 gzip-1.3.3-16.rhel4.s390x.rpm
fd12ba822f86f2e97d3d6cfddd5131b0 gzip-debuginfo-1.3.3-16.rhel4.s390x.rpm

x86_64:
f6ef264363bd174e77b0676cb4bea479 gzip-1.3.3-16.rhel4.x86_64.rpm
e4cc4e0b3c2a294e4528d14cc95e2cdb gzip-debuginfo-1.3.3-16.rhel4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/gzip-1.3.3-16.rhel4.src.rpm
5648a7b9c26a7cf20f98dc7ec35babf5 gzip-1.3.3-16.rhel4.src.rpm

i386:
49ccf9c31fa89e32612e6842e56725a8 gzip-1.3.3-16.rhel4.i386.rpm
16d9a5de520b30b2f097c9763eeed1e0 gzip-debuginfo-1.3.3-16.rhel4.i386.rpm

x86_64:
f6ef264363bd174e77b0676cb4bea479 gzip-1.3.3-16.rhel4.x86_64.rpm
e4cc4e0b3c2a294e4528d14cc95e2cdb gzip-debuginfo-1.3.3-16.rhel4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/gzip-1.3.3-16.rhel4.src.rpm
5648a7b9c26a7cf20f98dc7ec35babf5 gzip-1.3.3-16.rhel4.src.rpm

i386:
49ccf9c31fa89e32612e6842e56725a8 gzip-1.3.3-16.rhel4.i386.rpm
16d9a5de520b30b2f097c9763eeed1e0 gzip-debuginfo-1.3.3-16.rhel4.i386.rpm

ia64:
85f98bebe3367e17b608317cb3241f27 gzip-1.3.3-16.rhel4.ia64.rpm
d9036a2e65f0f0c62fa6d891b8ddc61f gzip-debuginfo-1.3.3-16.rhel4.ia64.rpm

x86_64:
f6ef264363bd174e77b0676cb4bea479 gzip-1.3.3-16.rhel4.x86_64.rpm
e4cc4e0b3c2a294e4528d14cc95e2cdb gzip-debuginfo-1.3.3-16.rhel4.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/gzip-1.3.3-16.rhel4.src.rpm
5648a7b9c26a7cf20f98dc7ec35babf5 gzip-1.3.3-16.rhel4.src.rpm

i386:
49ccf9c31fa89e32612e6842e56725a8 gzip-1.3.3-16.rhel4.i386.rpm
16d9a5de520b30b2f097c9763eeed1e0 gzip-debuginfo-1.3.3-16.rhel4.i386.rpm

ia64:
85f98bebe3367e17b608317cb3241f27 gzip-1.3.3-16.rhel4.ia64.rpm
d9036a2e65f0f0c62fa6d891b8ddc61f gzip-debuginfo-1.3.3-16.rhel4.ia64.rpm

x86_64:
f6ef264363bd174e77b0676cb4bea479 gzip-1.3.3-16.rhel4.x86_64.rpm
e4cc4e0b3c2a294e4528d14cc95e2cdb gzip-debuginfo-1.3.3-16.rhel4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is lt;secalert@redhat.comgt;. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFFEAA1XlSAg2UNWIIRAvG5AJ4oZQZ2xO3zuhilGIgpiiDdv3XoeQCfSovS
A3KNuhoEQQgU2vWQZq8kOrM=
=JxrA
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/rhsa_20060667_01_moderate_gzip_security_update.html)