GZip Long File Name Buffer Overflow Vulnerability

Solution:
The following patch has been offered by greg <gregn@dekode.org> to fix the vulnerability:

--- gzip.c Thu Aug 19 09:39:43 1993
+++ gzip-fix.c Sun Dec 30 13:57:44 2001
@@ -1006,7 +1006,7 @@
char *dot; /* pointer to ifname extension, or NULL */
#endif

- strcpy(ifname, iname);
+ strncpy(ifname, iname, sizeof(ifname) - 1);

/* If input file exists, return OK. */
if (do_stat(ifname, sbuf) == 0) return OK;
@@ -1683,7 +1683,7 @@
}
len = strlen(dir);
if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) {
- strcpy(nbuf,dir);
+ strncpy(nbuf, dir, sizeof(nbuf) - 1);
if (len != 0 /* dir = "" means current dir on Amiga */
#ifdef PATH_SEP2
&& dir[len-1] != PATH_SEP2

Various vendor-supplied fixes have been made available.


GNU gzip 1.2.4

GNU gzip 1.2.4 a


 

Privacy Statement
Copyright 2010, SecurityFocus