ncompress: Buffer Underflow — GLSA 200610-03

A buffer underflow vulnerability has been reported in ncompress allowing for the execution of arbitrary code.

Affected packages

app-arch/ncompress on all architectures
Affected versions < 4.2.4.1
Unaffected versions >= 4.2.4.1

Background

ncompress is a suite of utilities to create and extract Lempel-Ziff-Welch (LZW) compressed archives.

Description

Tavis Ormandy of the Google Security Team discovered a static buffer underflow in ncompress.

Impact

An attacker could create a specially crafted LZW archive, that when decompressed by a user or automated system would result in the execution of arbitrary code with the permissions of the user invoking the utility.

Workaround

There is no known workaround at this time.

Resolution

All ncompress users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-arch/ncompress-4.2.4.1"

References

Release date
October 06, 2006

Latest revision
October 06, 2006: 01

Severity
normal

Exploitable
remote

Bugzilla entries