141728 2006-07-25 11:59 0000 {app-arch/ncompress|dev-libs/liblzw} 4.2.4 security flaw in decompression 2006-11-11 20:37:14 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B2 [glsa] DerCorny P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org bernd@linx.net chainsaw@gentoo.org tcort@gentoo.org jaervosz@gentoo.org 2006-07-25 11:59:32 0000 Hi there, an audit of ncompress version 4.2.4 uncovered a serious security flaw, this loop in decompress() (~1749, compress42.c) performs no bounds checking, allowing a specially crafted datastream to underflow a .bss buffer with attacker controlled data. Some research reveals that the lzw decompressors from gzip and openbsd (both derived from the same public domain implementation) have already corrected this flaw, however ncompress shipped by (at least) gentoo, debian, fedora and suse seem to still be vulnerable. while ((cmp_code_int)code >= (cmp_code_int)256) { /* Generate output characters in reverse order */ *--stackp = tab_suffixof(code); code = tab_prefixof(code); } In my test environment I've been able to successfully overwirte .got and .dtors with controlled data. The most simple testcase would be: $ perl -e 'print "\x1f\x9d\x90","\x01"x"2048"' | compress -d My suggested fix would be adding `&& stackp >= htabof(0)` to the loop condition. As far as I'm aware, this package is no longer actively maintained by any upstream author. If there are no objections, I'll suggest an embargo date of Tuesday 8th August, 14:00 UTC. Please credit "Tavis Ormandy, Google Security Team" on any advisory relating to this issue. Thanks, Tavis. dercorny@gentoo.org 2006-07-25 12:14:38 0000 mhh vapier, this looks like something for you. can you provide new ebuilds? thanks in advance vapier@gentoo.org 2006-07-30 15:32:05 0000 not really ... ncompress was put into the public domain long ago and has since seen no updates and has no upstream we'll need to fix this ourselves (or steal a fix from another distro) ... pmasking/punting is not an acceptable solution might also be worth noting that my dev-libs/liblzw package is also vuln as the decompressing code in there is taken straight from ncompress plasmaroo@gentoo.org 2006-07-31 05:35:52 0000 Mike: We have a fix for this one; I'll attach it here when it's finalized :) jaervosz@gentoo.org 2006-08-09 11:42:15 0000 I think this is public now though I haven't seen any advisories yet. dercorny@gentoo.org 2006-08-10 00:25:50 0000 Ok, this is public? Tim, can you attach the fix you spoke about? jaervosz@gentoo.org 2006-09-05 06:19:03 0000 Vapier, any news on this one? jaervosz@gentoo.org 2006-09-13 23:17:47 0000 Vapier, any news on this one? vapier@gentoo.org 2006-09-21 06:30:42 0000 why would i have news ? last comment here is from Tim saying he's going to be posting the fix real soon now ... i dont have access to the lists where this fix was discussed jaervosz@gentoo.org 2006-09-21 23:54:13 0000 Tim could you attach the fix here, I guess your mail from a few weeks back got lost somewhere. jaervosz@gentoo.org 2006-09-26 09:27:18 0000 Tim could you attach the fix here, I guess your mail from a few weeks back got lost somewhere. jaervosz@gentoo.org 2006-09-26 09:40:53 0000 [18:22] <plasmaroo> jaervosz: Tavis sent spanky the patch for that one Vapier please bump. vapier@gentoo.org 2006-09-26 20:41:28 0000 isnt the unlzw code in gzip also vuln ? taviso@gentoo.org 2006-09-27 00:40:48 0000 (In reply to comment #12) > isnt the unlzw code in gzip also vuln ? > no. vapier@gentoo.org 2006-09-28 00:42:39 0000 because it has this change ? if (oldcode == -1) { + if (code >= 256) error("corrupt input."); outbuf[outpos++] = (char_type)(finchar = (int)(oldcode=code)); continue; } perhaps we should use this patch for our other things then ? taviso@gentoo.org 2006-09-28 01:02:37 0000 Sure, although I prefer the bounds checking approach, as any flaw discovered in future will be rendered harmless. Either fix will be fine. vapier@gentoo.org 2006-09-29 05:34:08 0000 liblzw-0.1.1 now in portage ncompress-4.2.4.1 now in portage vorlon@gentoo.org 2006-09-29 05:40:52 0000 arches pls test app-arch/ncompress-4.2.4.1 and mark stable if possible libzlw has not been stable on any arch anyways ranger@gentoo.org 2006-09-29 06:48:07 0000 Marked app-arch/ncompress-4.2.4.1 ppc64 stable dertobi123@gentoo.org 2006-09-29 07:10:53 0000 ppc stable maekke@gentoo.org 2006-09-29 09:19:10 0000 liblzw: 1.) emerges fine on x86 2.) passes collision test 3.) ncompress compiles with it ncompress: 1.) emerges fine on x86 2.) passes collision test 3.) works emerge --info Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18 i686) ================================================================= System uname: 2.6.18 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.5 Last Sync: Fri, 29 Sep 2006 13:50:01 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11-r1 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY weeve@gentoo.org 2006-09-29 09:51:51 0000 ncompress stable on SPARC. We don't have liblzw keywords so we haven't touched that. bugs@thecleric.org 2006-10-02 07:25:05 0000 1. both emerge fine on amd64 2. both passed collision test 3. both passed multi-lib strict 4. compressed a file with ncompress and it worked fine, liblzw is ripped right from ncompress so i would expect similar results emerge --info follows ----------------------------------------------------------------------------- Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-beyond4 x86_64) ================================================================= System uname: 2.6.17-beyond4 x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.12.5 Last Sync: Mon, 02 Oct 2006 13:30:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -msse3 -march=k8 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -msse3 -march=k8 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://gentoo.cites.uiuc.edu/pub/gentoo/ http://mirrors.acm.cs.rpi.edu/gentoo/" LINGUAS="en en_US" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/overlays" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acl acpi akobe alsa apache2 audiofile avi bash-completion bcp berkdb bitmap-fonts bjam bogofilter boost branding bzip2 cairo cdr cli crypt cscope cups curl dbus djbfft dlloader dri dssi dts dvd dvdr dvdread eds elibc_glibc emboss encode exif expat exscalibar fam ffmpeg firefox flac foo2zjs_devices_hp1020 foomaticdb fortran fpx ftp gd gdbm gif glitz glut gmp gnokii gnome gnutls gphoto2 gpm graphviz gs gsl gstreamer gtk gtk2 guile hal hash ieee1394 imlib input_devices_keyboard input_devices_mouse insecure-savers ipv6 isdnlog jack jack-tmpfs jackmidi java jbig jpeg jpeg2k kernel_linux lapack lash lcms ldap libg++ linguas_en linguas_en_US logitech-mouse mad mailwrapper mikmod mono mp3 mp4 mpeg musicbrainz mysql ncurses network nls nptl nptlonly nsplugin numeric offensive ogg openal openexr opengl pam pam_console pcre pda pdf pdflib perl physfs png ppds pppd pwdb pyste python quicktime readline reflection ruby samba sdl session speex spell spl sqlite ssl svg tcl tcpd theora threads tidy tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_nvidia visualization vorbis vst wmf xcomposite xine xml xmms xorg xscreensaver xv xvid xvmc yahoo zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS dang@gentoo.org 2006-10-02 11:03:04 0000 amd64 done tsunam@gentoo.org 2006-10-02 20:56:22 0000 x86 is stable yay ?_? tcort@gentoo.org 2006-10-05 16:45:48 0000 ncompress stable on alpha. We don't have liblzw keywords so we haven't touched that. Sorry for the delay. gmsoft@gentoo.org 2006-10-06 09:47:32 0000 Stable on hppa. falco@gentoo.org 2006-10-06 11:40:10 0000 Thanks everybody GLSA 200610-03