Program: compress Homepage: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/ Vulnerable Versions: current version (4.2.4) Risk: Low / Medium Impact: Local Stack Buffer Overflow Vulnerability - DESCRIPTION Compress is a fast, simple LZW file compressor. Compress does not have the highest compression rate, but it is one of the fastest programs to compress data. Compress is the defacto standard in the UNIX community for compressing files. - EXAMPLE $ uncompress `perl -e 'print "A"x1080'`/tmp/testing Segmentation fault (core dumped) $ gdb --core ./core GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu". Core was generated by `uncompress AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. #0 0x41414141 in ?? () (gdb) i r eax 0x0 0 ecx 0x1000 4096 edx 0xf97 3991 ebx 0x41414141 1094795585 esp 0xbffff1d0 0xbffff1d0 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 eflags 0x10282 66178 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x0 0 (gdb) as this program is not suid per default, there is no danger of privilege escalation. nevertheless, (un)compress is called remote by at least amavisd-new and pure-ftpd. an attacker could remote-exploit this vulnerability by sending an carefully crafted email attachment. amavisd-new calls uncompress, the program will overflow - as a result, attacker gains a remote shell. attached is a patch, that fixes this problem. best regards, florian
Created attachment 41017 [details, diff] patch
lv, This package has no metadata, and you were the last one to patch it. Could you please verify and apply this patch? Thanks!
Making this bug public since this vulnerability has already been published.
+*ncompress-4.2.4-r1 (06 Oct 2004) + + 06 Oct 2004; <solar@gentoo.org> +metadata.xml, +ncompress-4.2.4-r1.ebuild: + This update adds bounds checking to command line options used by ncompress bug + #66251. Also minor clode cleanups and a bugfixes by using debian patch from + http://packages.qa.debian.org/n/ncompress.html
archs, please mark ncompress-4.2.4-r1 stable.
Stable on ppc. Example-test works.
Stable on alpha.
Stable for sparc. Runs tests for me.
stable on x86
stable on amd64
arm/hppa/ia64/s390 stable BABY
mips stable
Ready for a GLSA. I would say one is needed if this is really exploitable through amavisd[-new] or pure-ftpd (i.e. if they accept and tunnel through uncompress arbitrary pathnames). If they don't (or if they filter length/characters, which they should do) then a GLSA isn't needed...
This is not exploitable through pure-ftpd (which uses uncompress only in the Makefile). Through amavisd-new, I'm not sure, but that would need to pass a very long file name that would probably break something else. That said, uncompress has a real potential to be called remotely in user applications and the filename can very well be under the control of the attacker. I would say this needs a GLSA, so my vote goes for YES
Everyone agrees, we'll do one.
GLSA 200410-08 ppc64, please mark stable to benefit from glsa.
stable on ppc64, thanks!
*** Bug 107312 has been marked as a duplicate of this bug. ***