Vulnerable Versions: current version (4.2.4)
Risk: Low / Medium
Impact: Local Stack Buffer Overflow Vulnerability
Compress is a fast, simple LZW file compressor. Compress does not have
the highest compression rate, but it is one of the fastest programs to
compress data. Compress is the defacto standard in the UNIX community
for compressing files.
$ uncompress `perl -e 'print "A"x1080'`/tmp/testing
Segmentation fault (core dumped)
$ gdb --core ./core
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Core was generated by `uncompress AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0x1000 4096
edx 0xf97 3991
ebx 0x41414141 1094795585
esp 0xbffff1d0 0xbffff1d0
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
eflags 0x10282 66178
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x0 0
as this program is not suid per default, there is no danger of privilege escalation.
nevertheless, (un)compress is called remote by at least amavisd-new and pure-ftpd.
an attacker could remote-exploit this vulnerability by sending an carefully crafted email attachment.
amavisd-new calls uncompress, the program will overflow - as a result, attacker gains a remote shell.
attached is a patch, that fixes this problem.
Created attachment 41017 [details, diff]
This package has no metadata, and you were the last one to patch it. Could you please verify and apply this patch? Thanks!
Making this bug public since this vulnerability has already been published.
+*ncompress-4.2.4-r1 (06 Oct 2004)
+ 06 Oct 2004; <email@example.com> +metadata.xml, +ncompress-4.2.4-r1.ebuild:
+ This update adds bounds checking to command line options used by ncompress bug
+ #66251. Also minor clode cleanups and a bugfixes by using debian patch from
archs, please mark ncompress-4.2.4-r1 stable.
Stable on ppc. Example-test works.
Stable on alpha.
Stable for sparc. Runs tests for me.
stable on x86
stable on amd64
arm/hppa/ia64/s390 stable BABY
Ready for a GLSA. I would say one is needed if this is really exploitable through amavisd[-new] or pure-ftpd (i.e. if they accept and tunnel through uncompress arbitrary pathnames). If they don't (or if they filter length/characters, which they should do) then a GLSA isn't needed...
This is not exploitable through pure-ftpd (which uses uncompress only in the Makefile). Through amavisd-new, I'm not sure, but that would need to pass a very long file name that would probably break something else.
That said, uncompress has a real potential to be called remotely in user applications and the filename can very well be under the control of the attacker. I would say this needs a GLSA, so my vote goes for YES
Everyone agrees, we'll do one.
ppc64, please mark stable to benefit from glsa.
stable on ppc64, thanks!
*** Bug 107312 has been marked as a duplicate of this bug. ***