oss-security - Re: LZW decompression issues

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Thu, 29 Sep 2011 17:51:00 +0200
From: Tavis Ormandy <taviso@...xchg8b.com>
To: Joerg Sonnenberger <joerg@...tannica.bec.de>
Cc: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com,
	joerg@...bsd.org
Subject: Re: LZW decompression issues

On Thu, Sep 29, 2011 at 02:50:22PM +0200, Joerg Sonnenberger wrote:
> On Thu, Sep 29, 2011 at 04:38:08AM +0400, Solar Designer wrote:
> > Hi Tavis,
> > 
> > On Wed, Sep 28, 2011 at 08:42:56PM +0200, Tavis Ormandy wrote:
> > > I believe I wrote that patch,
> > 
> > I believe you wrote a different patch, or two:
> > 
> > http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/gzip/Attic/gzip-1.3.5-google-owl-bound.diff
> > http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/gzip/Attic/gzip-1.3.5-gentoo-huft_build-return.diff
> 
> This is not about GNU (g)zip, but the NetBSD/FreeBSD tool of the same
> name. The corresponding NetBSD advisory explicitly lists GNU gzip and
> libarchive as not vulnerable.
> 
> Joerg

I see, apologies for misunderstanding.

Tavis.

-- 
-------------------------------------
taviso@...xchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.