Hi there, an audit of ncompress version 4.2.4 uncovered a serious security flaw, this loop in decompress() (~1749, compress42.c) performs no bounds checking, allowing a specially crafted datastream to underflow a .bss buffer with attacker controlled data. Some research reveals that the lzw decompressors from gzip and openbsd (both derived from the same public domain implementation) have already corrected this flaw, however ncompress shipped by (at least) gentoo, debian, fedora and suse seem to still be vulnerable. while ((cmp_code_int)code >= (cmp_code_int)256) { /* Generate output characters in reverse order */ *--stackp = tab_suffixof(code); code = tab_prefixof(code); } In my test environment I've been able to successfully overwirte .got and .dtors with controlled data. The most simple testcase would be: $ perl -e 'print "\x1f\x9d\x90","\x01"x"2048"' | compress -d My suggested fix would be adding `&& stackp >= htabof(0)` to the loop condition. As far as I'm aware, this package is no longer actively maintained by any upstream author. If there are no objections, I'll suggest an embargo date of Tuesday 8th August, 14:00 UTC. Please credit "Tavis Ormandy, Google Security Team" on any advisory relating to this issue. Thanks, Tavis.
mhh vapier, this looks like something for you. can you provide new ebuilds? thanks in advance
not really ... ncompress was put into the public domain long ago and has since seen no updates and has no upstream we'll need to fix this ourselves (or steal a fix from another distro) ... pmasking/punting is not an acceptable solution might also be worth noting that my dev-libs/liblzw package is also vuln as the decompressing code in there is taken straight from ncompress
Mike: We have a fix for this one; I'll attach it here when it's finalized :)
I think this is public now though I haven't seen any advisories yet.
Ok, this is public? Tim, can you attach the fix you spoke about?
Vapier, any news on this one?
why would i have news ? last comment here is from Tim saying he's going to be posting the fix real soon now ... i dont have access to the lists where this fix was discussed
Tim could you attach the fix here, I guess your mail from a few weeks back got lost somewhere.
[18:22] <plasmaroo> jaervosz: Tavis sent spanky the patch for that one Vapier please bump.
isnt the unlzw code in gzip also vuln ?
(In reply to comment #12) > isnt the unlzw code in gzip also vuln ? > no.
because it has this change ? if (oldcode == -1) { + if (code >= 256) error("corrupt input."); outbuf[outpos++] = (char_type)(finchar = (int)(oldcode=code)); continue; } perhaps we should use this patch for our other things then ?
Sure, although I prefer the bounds checking approach, as any flaw discovered in future will be rendered harmless. Either fix will be fine.
liblzw-0.1.1 now in portage ncompress-4.2.4.1 now in portage
arches pls test app-arch/ncompress-4.2.4.1 and mark stable if possible libzlw has not been stable on any arch anyways
Marked app-arch/ncompress-4.2.4.1 ppc64 stable
ppc stable
liblzw: 1.) emerges fine on x86 2.) passes collision test 3.) ncompress compiles with it ncompress: 1.) emerges fine on x86 2.) passes collision test 3.) works emerge --info Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18 i686) ================================================================= System uname: 2.6.18 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.5 Last Sync: Fri, 29 Sep 2006 13:50:01 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11-r1 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
ncompress stable on SPARC. We don't have liblzw keywords so we haven't touched that.
1. both emerge fine on amd64 2. both passed collision test 3. both passed multi-lib strict 4. compressed a file with ncompress and it worked fine, liblzw is ripped right from ncompress so i would expect similar results emerge --info follows ----------------------------------------------------------------------------- Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-beyond4 x86_64) ================================================================= System uname: 2.6.17-beyond4 x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.12.5 Last Sync: Mon, 02 Oct 2006 13:30:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -msse3 -march=k8 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -msse3 -march=k8 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://gentoo.cites.uiuc.edu/pub/gentoo/ http://mirrors.acm.cs.rpi.edu/gentoo/" LINGUAS="en en_US" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/overlays" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acl acpi akobe alsa apache2 audiofile avi bash-completion bcp berkdb bitmap-fonts bjam bogofilter boost branding bzip2 cairo cdr cli crypt cscope cups curl dbus djbfft dlloader dri dssi dts dvd dvdr dvdread eds elibc_glibc emboss encode exif expat exscalibar fam ffmpeg firefox flac foo2zjs_devices_hp1020 foomaticdb fortran fpx ftp gd gdbm gif glitz glut gmp gnokii gnome gnutls gphoto2 gpm graphviz gs gsl gstreamer gtk gtk2 guile hal hash ieee1394 imlib input_devices_keyboard input_devices_mouse insecure-savers ipv6 isdnlog jack jack-tmpfs jackmidi java jbig jpeg jpeg2k kernel_linux lapack lash lcms ldap libg++ linguas_en linguas_en_US logitech-mouse mad mailwrapper mikmod mono mp3 mp4 mpeg musicbrainz mysql ncurses network nls nptl nptlonly nsplugin numeric offensive ogg openal openexr opengl pam pam_console pcre pda pdf pdflib perl physfs png ppds pppd pwdb pyste python quicktime readline reflection ruby samba sdl session speex spell spl sqlite ssl svg tcl tcpd theora threads tidy tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_nvidia visualization vorbis vst wmf xcomposite xine xml xmms xorg xscreensaver xv xvid xvmc yahoo zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 done
x86 is stable yay ?_?
ncompress stable on alpha. We don't have liblzw keywords so we haven't touched that. Sorry for the delay.
Stable on hppa.
Thanks everybody GLSA 200610-03