Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

Hi there, an audit of ncompress version 4.2.4 uncovered a serious
security flaw, this loop in decompress() (~1749, compress42.c)
performs no bounds checking, allowing a specially crafted datastream
to underflow a .bss buffer with attacker controlled data. Some
research reveals that the lzw decompressors from gzip and openbsd
(both derived from the same public domain implementation) have already
corrected this flaw, however ncompress shipped by (at least) gentoo,
debian, fedora and suse seem to still be vulnerable.

               while ((cmp_code_int)code >= (cmp_code_int)256)
               { /* Generate output characters in reverse order */
                   *--stackp = tab_suffixof(code);
                   code = tab_prefixof(code);
               }

In my test environment I've been able to successfully overwirte .got
and .dtors with controlled data. The most simple testcase would be:

$ perl -e 'print "\x1f\x9d\x90","\x01"x"2048"' | compress -d

My suggested fix would be adding  `&& stackp >= htabof(0)` to the loop
condition.

As far as I'm aware, this package is no longer actively maintained by
any upstream author. If there are no objections, I'll suggest an
embargo date of Tuesday 8th August, 14:00 UTC.

Please credit "Tavis Ormandy, Google Security Team" on any advisory
relating to this issue.

Thanks, Tavis.

mhh vapier, this looks like something for you. can you provide new ebuilds?
thanks in advance

not really ... ncompress was put into the public domain long ago and has since
seen no updates and has no upstream

we'll need to fix this ourselves (or steal a fix from another distro) ...
pmasking/punting is not an acceptable solution

might also be worth noting that my dev-libs/liblzw package is also vuln as the
decompressing code in there is taken straight from ncompress

Mike: We have a fix for this one; I'll attach it here when it's finalized :)

I think this is public now though I haven't seen any advisories yet.

Ok, this is public? Tim, can you attach the fix you spoke about?

Vapier, any news on this one?

Vapier, any news on this one?

why would i have news ?  last comment here is from Tim saying he's going to be
posting the fix real soon now ... i dont have access to the lists where this
fix was discussed

Tim could you attach the fix here, I guess your mail from a few weeks back got
lost somewhere.

Tim could you attach the fix here, I guess your mail from a few weeks back got
lost somewhere.

[18:22] <plasmaroo> jaervosz: Tavis sent spanky the patch for that one

Vapier please bump.

isnt the unlzw code in gzip also vuln ?

(In reply to comment #12)
> isnt the unlzw code in gzip also vuln ?
> 

no.

because it has this change ?

             if (oldcode == -1) {
+                if (code >= 256) error("corrupt input.");
                 outbuf[outpos++] = (char_type)(finchar = (int)(oldcode=code));
                 continue;
             }

perhaps we should use this patch for our other things then ?

Sure, although I prefer the bounds checking approach, as any flaw discovered in
future will be rendered harmless. Either fix will be fine.

liblzw-0.1.1 now in portage

ncompress-4.2.4.1 now in portage

arches pls test app-arch/ncompress-4.2.4.1 and mark stable if possible

libzlw has not been stable on any arch anyways

Marked app-arch/ncompress-4.2.4.1 ppc64 stable

ppc stable

liblzw:
1.) emerges fine on x86
2.) passes collision test
3.) ncompress compiles with it

ncompress:
1.) emerges fine on x86
2.) passes collision test
3.) works

emerge --info
Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3,
2.6.18 i686)
=================================================================
System uname: 2.6.18 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.5
Last Sync: Fri, 29 Sep 2006 13:50:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.2.11-r1
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom
cli crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc
emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk
hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde
kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad
mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl
png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl
session smp spell spl sse sse2 sse3 ssl svg tcpd tetex theora threads truetype
truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev
video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml
xorg xprint xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

ncompress stable on SPARC.  We don't have liblzw keywords so we haven't touched
that.

1. both emerge fine on amd64
2. both passed collision test
3. both passed multi-lib strict
4. compressed a file with ncompress and it worked fine, liblzw is ripped right
from ncompress so i would expect similar results

emerge --info follows
-----------------------------------------------------------------------------
Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3,
2.6.17-beyond4 x86_64)
=================================================================
System uname: 2.6.17-beyond4 x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.5
Last Sync: Mon, 02 Oct 2006 13:30:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -msse3 -march=k8 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -msse3 -march=k8 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer
multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo
http://gentoo.cites.uiuc.edu/pub/gentoo/ http://mirrors.acm.cs.rpi.edu/gentoo/"
LINGUAS="en en_US"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/overlays"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acl acpi akobe alsa apache2 audiofile avi bash-completion
bcp berkdb bitmap-fonts bjam bogofilter boost branding bzip2 cairo cdr cli
crypt cscope cups curl dbus djbfft dlloader dri dssi dts dvd dvdr dvdread eds
elibc_glibc emboss encode exif expat exscalibar fam ffmpeg firefox flac
foo2zjs_devices_hp1020 foomaticdb fortran fpx ftp gd gdbm gif glitz glut gmp
gnokii gnome gnutls gphoto2 gpm graphviz gs gsl gstreamer gtk gtk2 guile hal
hash ieee1394 imlib input_devices_keyboard input_devices_mouse insecure-savers
ipv6 isdnlog jack jack-tmpfs jackmidi java jbig jpeg jpeg2k kernel_linux lapack
lash lcms ldap libg++ linguas_en linguas_en_US logitech-mouse mad mailwrapper
mikmod mono mp3 mp4 mpeg musicbrainz mysql ncurses network nls nptl nptlonly
nsplugin numeric offensive ogg openal openexr opengl pam pam_console pcre pda
pdf pdflib perl physfs png ppds pppd pwdb pyste python quicktime readline
reflection ruby samba sdl session speex spell spl sqlite ssl svg tcl tcpd
theora threads tidy tiff truetype truetype-fonts type1-fonts udev unicode
userland_GNU video_cards_nvidia visualization vorbis vst wmf xcomposite xine
xml xmms xorg xscreensaver xv xvid xvmc yahoo zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS

amd64 done

x86 is stable yay ?_?

ncompress stable on alpha.  We don't have liblzw keywords so we haven't touched
that. Sorry for the delay.

Stable on hppa.

Thanks everybody

GLSA 200610-03