Home page logo

oss-sec logo oss-sec mailing list archives

Re: LZW decompression issues
From: Solar Designer <solar () openwall com>
Date: Thu, 29 Sep 2011 19:25:42 +0400

On Thu, Sep 29, 2011 at 02:50:22PM +0200, Joerg Sonnenberger wrote:
This is not about GNU (g)zip, but the NetBSD/FreeBSD tool of the same
name. The corresponding NetBSD advisory explicitly lists GNU gzip and
libarchive as not vulnerable.

Thanks!  My current understanding is that both the NetBSD/FreeBSD gzip
and GNU gzip reuse mid-1980's code from compress, which was in the
public domain.  Those revisions thus could use different licenses (BSD
vs. GPL), and indeed the code is quite different by now.  (Also there's
a lot of code that is not from compress.)

Tomas, Tim - thank you for explaining the "maxbits < 12" check.  It
appears that we don't need it for GNU gzip, and NetBSD/FreeBSD gzip
could want to relax the check too.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]