ncompress Buffer Overflow in decompress() Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016836 |
|
SecurityTracker URL: http://securitytracker.com/id/1016836
|
|
CVE Reference:
CVE-2006-1168
(Links to External Site)
|
Date: Sep 13 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
|
Version(s): 4.2.4
|
Description:
A vulnerability was reported in ncompress. A remote user can cause arbitrary code to be executed on the target user's system.
A user can create specially crafted data that, when processed using ncompress, will trigger a buffer overflow and execute arbitrary code on the target system.
The decompress() function in 'compress42.c' is affected.
Tavis Ormandy, Google Security Team, discovered this vulnerability.
|
Impact:
A remote user can create data that, when processed by the target application, will execute arbitrary code on the target system.
|
Solution:
No upstream solution was available at the time of this entry.
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 12 Sep 2006 20:12:11 -0400
Subject: ncompress vulnerability
|
CVE-2006-1168
From "Tavis Ormandy, Google Security Team":
> Hi there, an audit of ncompress version 4.2.4 uncovered a serious
> security flaw, this loop in decompress() (~1749, compress42.c)
> performs no bounds checking, allowing a specially crafted datastream
> to underflow a .bss buffer with attacker controlled data. Some
> research reveals that the lzw decompressors from gzip and openbsd
> (both derived from the same public domain implementation) have already
> corrected this flaw, however ncompress shipped by (at least) gentoo,
> debian, fedora and suse seem to still be vulnerable.
|
|
