Request 968010: Submit gzip - openSUSE Build Service

This request supersedes: request 903201 (Show diff), request 917987 (Show diff)

Overview

Request 968010 accepted

- update to 1.12 (CVE-2022-1271,bsc#1198062):
* 'gzip -l' no longer misreports file lengths 4 GiB and larger.
Previously, 'gzip -l' output the 32-bit value stored in the gzip
header even though that is the uncompressed length modulo 2**32.
Now, 'gzip -l' calculates the uncompressed length by decompressing
the data and counting the resulting bytes. Although this can take
much more time, nowadays the correctness pros seem to outweigh the
performance cons.
* 'zless' is no longer installed on platforms lacking 'less'.
* zgrep applied to a crafted file name with two or more newlines
can no longer overwrite an arbitrary, attacker-selected file.
[bug introduced in gzip-1.3.10]
* zgrep now names input file on error instead of mislabeling it as
"(standard input)", if grep supports the GNU -H and --label options.
* 'zdiff -C 5' no longer misbehaves by treating '5' as a file name.
* Configure-time options like --program-prefix now work.
- refresh zdiff.diff, zgrep.diff, zmore.diff

Created by msmeissn about 2 years ago
In state accepted
Supersedes 903201 917987

Submit gzip

Comments for request 968010 0

Login required, please login in order to comment

Request History

msmeissn created request about 2 years ago

- update to 1.12 (CVE-2022-1271,bsc#1198062):
* 'gzip -l' no longer misreports file lengths 4 GiB and larger.
Previously, 'gzip -l' output the 32-bit value stored in the gzip
header even though that is the uncompressed length modulo 2**32.
Now, 'gzip -l' calculates the uncompressed length by decompressing
the data and counting the resulting bytes. Although this can take
much more time, nowadays the correctness pros seem to outweigh the
performance cons.
* 'zless' is no longer installed on platforms lacking 'less'.
* zgrep applied to a crafted file name with two or more newlines
can no longer overwrite an arbitrary, attacker-selected file.
[bug introduced in gzip-1.3.10]
* zgrep now names input file on error instead of mislabeling it as
"(standard input)", if grep supports the GNU -H and --label options.
* 'zdiff -C 5' no longer misbehaves by treating '5' as a file name.
* Configure-time options like --program-prefix now work.
- refresh zdiff.diff, zgrep.diff, zmore.diff

factory-auto added opensuse-review-team as a reviewer about 2 years ago

Please review sources

factory-auto accepted review about 2 years ago

Check script succeeded

licensedigger accepted review about 2 years ago

The legal review is accepted preliminary. The package may require actions later on.

jengelh accepted review about 2 years ago

dimstar_suse set openSUSE:Factory:Staging:A as a staging project about 2 years ago

Being evaluated by staging project "openSUSE:Factory:Staging:A"

dimstar_suse accepted review about 2 years ago

Picked "openSUSE:Factory:Staging:A"

dimstar_suse accepted review about 2 years ago

Staging Project openSUSE:Factory:Staging:A got accepted.

dimstar_suse approved review about 2 years ago

Staging Project openSUSE:Factory:Staging:A got accepted.

dimstar_suse accepted request about 2 years ago

Staging Project openSUSE:Factory:Staging:A got accepted.

openSUSE Build Service is sponsored by