X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=NEWS;h=8370882e59e5fd3dbb29962fced190b55620ab5d;hb=4837ea600b0c15289ae734a0591e2dec5f2c1ede;hp=c24dd3adc3c2ee6cc03d1824b20557975128e01f;hpb=c7e61475680fa226bd9b8bdd469cd66914e630f5;p=debian%2Fgzip

diff --git a/NEWS b/NEWS
index c24dd3a..8370882 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,21 @@
 GNU gzip NEWS                                    -*- outline -*-
 
+* Noteworthy changes in release 1.4 (2010-01-20) [stable]
+
+** Bug fixes
+
+  gzip -d could segfault and/or clobber the stack, possibly leading to
+  arbitrary code execution.  This affects x86_64 but not 32-bit systems.
+  This fixes CVE-2010-0001.
+  For more details, see http://bugzilla.redhat.com/554418
+
+  gzip -d would fail with a CRC error for some valid inputs.
+  So far, the only valid input known to exhibit this failure was
+  compressed "from FAT filesystem (MS-DOS, OS/2, NT)".  In addition,
+  to trigger the failure, your memcpy implementation must copy in
+  the "reverse" order.
+
+
 * Noteworthy changes in release 1.3.14 (2009-10-30) [beta]
 
 ** Bug fixes
@@ -367,7 +383,8 @@ Major changes form 0.5 to 0.6:
 
 ========================================================================
 
-Copyright (C) 1999, 2001-2002, 2006-2007, 2009 Free Software Foundation, Inc.
+Copyright (C) 1999, 2001-2002, 2006-2007, 2009-2010 Free Software Foundation,
+Inc.
 Copyright (C) 1992, 1993 Jean-loup Gailly
 
 Permission is granted to copy, distribute and/or modify this document