Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 66251 - buffer overflow in app-arch/ncompress
Summary: buffer overflow in app-arch/ncompress
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.kb.cert.org/vuls/id/176363
Whiteboard: A? [glsa] lewk
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-03 14:11 UTC by Florian Schilhabel (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch (secpatch-compress.diff,362 bytes, patch)
2004-10-03 14:12 UTC, Florian Schilhabel (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schilhabel (RETIRED) gentoo-dev 2004-10-03 14:11:32 UTC
Program: compress
Homepage: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/
Vulnerable Versions: current version (4.2.4)
Risk: Low / Medium
Impact: Local Stack Buffer Overflow Vulnerability

- DESCRIPTION

 Compress is a fast, simple LZW file compressor.  Compress does not have
the highest compression rate, but it is one of the fastest programs to
compress data.  Compress is the defacto standard in the UNIX community
for compressing files.

- EXAMPLE

$ uncompress `perl -e 'print "A"x1080'`/tmp/testing
Segmentation fault (core dumped)

$ gdb --core ./core
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Core was generated by `uncompress AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) i r
eax            0x0      0
ecx            0x1000   4096
edx            0xf97    3991
ebx            0x41414141       1094795585
esp            0xbffff1d0       0xbffff1d0
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x10282  66178
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0
(gdb)

as this program is not suid per default, there is no danger of privilege escalation.
nevertheless, (un)compress is called remote by at least amavisd-new and pure-ftpd.
an attacker could remote-exploit this vulnerability by sending an carefully crafted email attachment.
amavisd-new calls uncompress, the program will overflow - as a result, attacker gains a remote shell.

attached is a patch, that fixes this problem.

best regards,
florian
Comment 1 Florian Schilhabel (RETIRED) gentoo-dev 2004-10-03 14:12:34 UTC
Created attachment 41017 [details, diff]
patch
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-03 16:35:09 UTC
lv, 

This package has no metadata, and you were the last one to patch it.  Could you please verify and apply this patch?  Thanks!
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-10-03 20:25:53 UTC
Making this bug public since this vulnerability has already been published.
Comment 4 solar (RETIRED) gentoo-dev 2004-10-06 20:38:34 UTC
+*ncompress-4.2.4-r1 (06 Oct 2004)
+
+  06 Oct 2004; <solar@gentoo.org> +metadata.xml, +ncompress-4.2.4-r1.ebuild:
+  This update adds bounds checking to command line options used by ncompress bug
+  #66251. Also minor clode cleanups and a bugfixes by using debian patch from
+  http://packages.qa.debian.org/n/ncompress.html
Comment 5 Luke Macken (RETIRED) gentoo-dev 2004-10-06 20:47:31 UTC
archs, please mark ncompress-4.2.4-r1 stable.
Comment 6 Lars Weiler (RETIRED) gentoo-dev 2004-10-06 22:06:56 UTC
Stable on ppc.  Example-test works.
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-07 03:29:26 UTC
Stable on alpha.
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2004-10-07 04:51:02 UTC
Stable for sparc. Runs tests for me.
Comment 9 Olivier Crete (RETIRED) gentoo-dev 2004-10-07 05:54:25 UTC
stable on x86
Comment 10 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-07 14:48:14 UTC
stable on amd64
Comment 11 SpanKY gentoo-dev 2004-10-07 17:48:46 UTC
arm/hppa/ia64/s390 stable BABY
Comment 12 SpanKY gentoo-dev 2004-10-07 18:31:33 UTC
mips stable
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-10-08 00:46:32 UTC
Ready for a GLSA. I would say one is needed if this is really exploitable through amavisd[-new] or pure-ftpd (i.e. if they accept and tunnel through uncompress arbitrary pathnames). If they don't (or if they filter length/characters, which they should do) then a GLSA isn't needed...
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-10-08 11:33:12 UTC
This is not exploitable through pure-ftpd (which uses uncompress only in the Makefile). Through amavisd-new, I'm not sure, but that would need to pass a very long file name that would probably break something else.

That said, uncompress has a real potential to be called remotely in user applications and the filename can very well be under the control of the attacker. I would say this needs a GLSA, so my vote goes for YES
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-10-08 11:50:34 UTC
Everyone agrees, we'll do one.
Comment 16 Luke Macken (RETIRED) gentoo-dev 2004-10-09 11:44:25 UTC
GLSA 200410-08

ppc64, please mark stable to benefit from glsa.
Comment 17 Tom Gall (RETIRED) gentoo-dev 2004-10-09 19:29:26 UTC
stable on ppc64, thanks!
Comment 18 Carsten Lohrke (RETIRED) gentoo-dev 2005-09-26 12:15:16 UTC
*** Bug 107312 has been marked as a duplicate of this bug. ***