Index: /trunk/server/common/patches/gzip-cve-2009-2624.patch
===================================================================
--- /trunk/server/common/patches/gzip-cve-2009-2624.patch	(revision 1433)
+++ /trunk/server/common/patches/gzip-cve-2009-2624.patch	(revision 1433)
@@ -0,0 +1,20 @@
+--- inflate.c.orig	2010-01-21 05:31:35.000000000 -0500
++++ inflate.c	2010-01-21 05:31:43.000000000 -0500
+@@ -335,13 +335,15 @@
+   } while (--i);
+   if (c[0] == n)                /* null input--all zero length codes */
+   {
+-    q = (struct huft *) malloc (2 * sizeof *q);
++    q = (struct huft *) malloc (3 * sizeof *q);
+     if (!q)
+       return 3;
+-    hufts += 2;
++    hufts += 3;
+     q[0].v.t = (struct huft *) NULL;
+     q[1].e = 99;    /* invalid code marker */
+     q[1].b = 1;
++    q[2].e = 99;    /* invalid code marker */
++    q[2].b = 1;
+     *t = q + 1;
+     *m = 1;
+     return 0;
Index: /trunk/server/common/patches/gzip-cve-2010-0001.patch
===================================================================
--- /trunk/server/common/patches/gzip-cve-2010-0001.patch	(revision 1433)
+++ /trunk/server/common/patches/gzip-cve-2010-0001.patch	(revision 1433)
@@ -0,0 +1,12 @@
+--- unlzw.c.orig	2010-01-21 05:23:53.000000000 -0500
++++ unlzw.c	2010-01-21 05:25:51.000000000 -0500
+@@ -248,7 +248,8 @@
+ 	int  o;
+ 
+     resetbuf:
+-	e = insize-(o = (posbits>>3));
++	o = posbits >> 3;
++	e = o <= insize ? insize - o : 0;
+ 
+ 	for (i = 0 ; i < e ; ++i) {
+ 	    inbuf[i] = inbuf[i+o];
Index: /trunk/server/fedora/Makefile
===================================================================
--- /trunk/server/fedora/Makefile	(revision 1432)
+++ /trunk/server/fedora/Makefile	(revision 1433)
@@ -19,5 +19,5 @@
 # See /COPYRIGHT in this repository for more information.
 
-upstream_yum	= krb5 krb5.i586 httpd openssh
+upstream_yum	= krb5 krb5.i586 httpd openssh gzip
 upstream	= openafs $(upstream_yum) moira
 oursrc		= execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i586 whoisd mit-zephyr athrun php_scripts scripts-base
Index: /trunk/server/fedora/specs/gzip.spec.patch
===================================================================
--- /trunk/server/fedora/specs/gzip.spec.patch	(revision 1433)
+++ /trunk/server/fedora/specs/gzip.spec.patch	(revision 1433)
@@ -0,0 +1,40 @@
+--- gzip.spec.orig	2010-01-21 05:33:38.000000000 -0500
++++ gzip.spec	2010-01-21 05:37:54.000000000 -0500
+@@ -1,7 +1,7 @@
+ Summary: The GNU data compression program
+ Name: gzip
+ Version: 1.3.12
+-Release: 9%{?dist}
++Release: 9.scripts.%{scriptsversion}%{?dist}
+ # info pages are under GFDL license
+ License: GPLv2 and GFDL
+ Group: Applications/File
+@@ -17,6 +17,8 @@
+ Patch16: gzip-1.3.5-cve-2006-4337_len.patch
+ Patch17: gzip-1.3.12-futimens.patch
+ Patch18: gzip-1.3.12-zdiff.patch
++Patch100: gzip-cve-2009-2624.patch
++Patch101: gzip-cve-2010-0001.patch
+ URL: http://www.gzip.org/
+ Requires: /sbin/install-info
+ Requires: mktemp less
+@@ -43,6 +45,8 @@
+ %patch16 -p1 -b .4337l
+ %patch17 -p1 -b .futimens
+ %patch18 -p1 -b .ret
++%patch100 -p0 -b .cve-2009-2624
++%patch101 -p0 -b .cve-2010-0001
+ %build
+ export DEFS="NO_ASM"
+ export CPPFLAGS="-DHAVE_LSTAT"
+@@ -89,6 +93,10 @@
+ %{_infodir}/gzip.info*
+ 
+ %changelog
++* Thu Jan 21 2010 Mitchell Berger <mitchb@mit.edu> 1.3.12-9.scripts.1432
++- Add patch for CVE-2009-2624
++- Add patch for CVE-2010-0001
++
+ * Fri Mar 13 2009 Ivana Varekova <varekova@redhat.com> - 1.3.12-9
+ - fix #484213 - zdiff shows no output
+