Bug 56455
Summary: | potential buffer overflow in gzip 1.2.4a | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Alex Butcher <bugzilla> |
Component: | gzip | Assignee: | Trond Eivind Glomsrxd <teg> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 6.2 | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-11-21 21:17:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alex Butcher
2001-11-19 02:05:50 UTC
Doesn't wu-ftpd check that the file exists before running gzip on it? "Doesn't wu-ftpd check that the file exists before running gzip on it?" I think so, because I saw ftpd making stat64() calls. However, if file upload is allowed, then this won't provide any defense! Luckily, in this case, it would appear that wu-ftpd limits FTP command lines to 511 bytes (+ 1 for the NULL), but belt n' suspenders would be a good idea. Also, I don't know what other FTPDs do. Also, compress/uncompress have similar problems, even in RH7.2: $ uncompress `perl -e 'print "A" x 2048'` Segmentation fault $ compress `perl -e 'print "A" x 2048'` Segmentation fault $ compress -V Compress version: (N)compress 4.2.4, compiled: Mon Jun 25 04:14:46 EDT 2001 Compile options: FAST, DIRENT, REGISTERS=20 IBUFSIZ=1024, OBUFSIZ=1024, BITS=16 [ ... ] $ rpm -qif `which compress` Name : ncompress Relocations: (not relocateable) Version : 4.2.4 Vendor: Red Hat, Inc. Release : 24 Build Date: Mon 25 Jun 2001 09:14:50 BST [ ... ] Incidentally, whilst I was testing... $ ncftp NcFTP 3.0.3 (April 15, 2001) by Mike Gleason (ncftp). ncftp> $AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA *** Error: getline(): input buffer overflow $ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA $ rpm -qif `which ncftp` Name : ncftp Relocations: /usr Version : 3.0.3 Vendor: Red Hat, Inc. Release : 6 Build Date: Sat 04 Aug 2001 20:55:09 BST Probably not exploitable, but... Shall I open a new bug for those two? I fixed ncompress (4.2.4-25), you can open another one for ncftp. I haven't decided what to do with gzip yet, as you shouldn't be able to exploit it and crashing your own program isn't that much of a problem. It's not a problem at the moment, but it might be in the future. One of the other black/grey/white hats on the vuln-dev list already has some ideas on how to exploit gzip through wu-ftpd (but he's not giving anything away). And of course, that's not even considering other networked services that rely upon gzip. The fix is already in gzip 1.3 (as used in RH7.x), so presumably your concerns are about backwards compatibility, which I understand. Your call. :) Closing. DOn't think it can be exploited remotely, it's not suid and we've updated in the base release some time ago. |