ncompress Buffer Overflow in decompress() Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016836
|
|
SecurityTracker URL: http://securitytracker.com/id?1016836
|
|
CVE Reference: CVE-2006-1168
(Links to External Site)
|
Date: Sep 13 2006
|
Impact: Execution of arbitrary code via network, User access via network
|
Version(s): 4.2.4
|
Description: A vulnerability was reported in ncompress. A remote user can cause arbitrary code to be executed on the target user's system.
A user can create specially crafted data that, when processed using ncompress, will trigger a buffer overflow and execute arbitrary
code on the target system.
The decompress() function in 'compress42.c' is affected.
Tavis Ormandy, Google Security Team,
discovered this vulnerability.
|
Impact: A remote user can create data that, when processed by the target application, will execute arbitrary code on the target system.
|
Solution: No upstream solution was available at the time of this entry.
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 12 Sep 2006 20:12:11 -0400
Subject: ncompress vulnerability
|
CVE-2006-1168
From "Tavis Ormandy, Google Security Team":
> Hi there, an audit of ncompress version 4.2.4 uncovered a serious
> security flaw, this loop in decompress() (~1749, compress42.c)
> performs no bounds checking, allowing a specially crafted datastream
> to underflow a .bss buffer with attacker controlled data. Some
> research reveals that the lzw decompressors from gzip and openbsd
> (both derived from the same public domain implementation) have already
> corrected this flaw, however ncompress shipped by (at least) gentoo,
> debian, fedora and suse seem to still be vulnerable.
|
|
