Report from Tavis Ormandy, Google Security Team: An audit of ncompress version 4.2.4 uncovered a serious security flaw, this loop in decompress() (~1749, compress42.c) performs no bounds checking, allowing a specially crafted datastream to underflow a .bss buffer with attacker controlled data. Some research reveals that the lzw decompressors from gzip and openbsd (both derived from the same public domain implementation) have already corrected this flaw, however ncompress shipped by (at least) gentoo, debian, fedora and suse seem to still be vulnerable. while ((cmp_code_int)code >= (cmp_code_int)256) { /* Generate output characters in reverse order */ *--stackp = tab_suffixof(code); code = tab_prefixof(code); } In my test environment I've been able to successfully overwirte .got and .dtors with controlled data. The most simple testcase would be: $ perl -e 'print "\x1f\x9d\x90","\x01"x"2048"' | compress -d My suggested fix would be adding `&& stackp >= htabof(0)` to the loop condition.
fixed in ncompress-4.2.4-45
References: https://bugs.gentoo.org/show_bug.cgi?id=141728 http://ncompress.git.sourceforge.net/git/gitweb.cgi?p=ncompress/ncompress;a=commitdiff;h=e21aad4a5a3ba0b6c2279b28a80f85b0b226a175
This was fixed in ncompress versions shipped in Red Hat Enterprise Linux: https://www.redhat.com/security/data/cve/CVE-2006-1168.html and Fedora. The fix has not bee applied to busybox yet, which include a copy of the ncompress code.
(In reply to comment #3) > The fix has not bee applied to busybox yet, which include a copy of the > ncompress code. Fixed now via: http://git.busybox.net/busybox/commit/archival/libarchive/decompress_uncompress.c?id=251fc70e9722f931eec23a34030d05ba5f747b0e
Acknowledgements: Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0308 https://rhn.redhat.com/errata/RHSA-2012-0308.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0810 https://rhn.redhat.com/errata/RHSA-2012-0810.html