Bugzilla Bug 66251

Program: compress
Homepage: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/
Vulnerable Versions: current version (4.2.4)
Risk: Low / Medium
Impact: Local Stack Buffer Overflow Vulnerability

- DESCRIPTION

 Compress is a fast, simple LZW file compressor.  Compress does not have
the highest compression rate, but it is one of the fastest programs to
compress data.  Compress is the defacto standard in the UNIX community
for compressing files.

- EXAMPLE

$ uncompress `perl -e 'print "A"x1080'`/tmp/testing
Segmentation fault (core dumped)

$ gdb --core ./core
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Core was generated by `uncompress AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) i r
eax            0x0      0
ecx            0x1000   4096
edx            0xf97    3991
ebx            0x41414141       1094795585
esp            0xbffff1d0       0xbffff1d0
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x10282  66178
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0
(gdb)

as this program is not suid per default, there is no danger of privilege escalation.
nevertheless, (un)compress is called remote by at least amavisd-new and pure-ftpd.
an attacker could remote-exploit this vulnerability by sending an carefully crafted email attachment.
amavisd-new calls uncompress, the program will overflow - as a result, attacker gains a remote shell.

attached is a patch, that fixes this problem.

best regards,
florian

Created an attachment (id=41017) [edit]
patch

lv, 

This package has no metadata, and you were the last one to patch it.  Could you please verify and apply this patch?  Thanks!

Making this bug public since this vulnerability has already been published.

+*ncompress-4.2.4-r1 (06 Oct 2004)
+
+  06 Oct 2004; <solar@gentoo.org> +metadata.xml, +ncompress-4.2.4-r1.ebuild:
+  This update adds bounds checking to command line options used by ncompress bug
+  #66251. Also minor clode cleanups and a bugfixes by using debian patch from
+  http://packages.qa.debian.org/n/ncompress.html

archs, please mark ncompress-4.2.4-r1 stable.

Stable on ppc.  Example-test works.

Stable on alpha.

Stable for sparc. Runs tests for me.

stable on x86

stable on amd64

arm/hppa/ia64/s390 stable BABY

mips stable

Ready for a GLSA. I would say one is needed if this is really exploitable
through amavisd[-new] or pure-ftpd (i.e. if they accept and tunnel through
uncompress arbitrary pathnames). If they don't (or if they filter
length/characters, which they should do) then a GLSA isn't needed...

This is not exploitable through pure-ftpd (which uses uncompress only in the
Makefile). Through amavisd-new, I'm not sure, but that would need to pass a
very long file name that would probably break something else.

That said, uncompress has a real potential to be called remotely in user
applications and the filename can very well be under the control of the
attacker. I would say this needs a GLSA, so my vote goes for YES

Everyone agrees, we'll do one.

GLSA 200410-08

ppc64, please mark stable to benefit from glsa.

stable on ppc64, thanks!

*** Bug 107312 has been marked as a duplicate of this bug. ***