critical
9.3
CWE
119
Advisory Published
CVE Published
Updated

CVE-2011-2895: Buffer Overflow

First published: Tue Aug 02 2011(Updated: )

BSD compress implemented an LZW compressor and decompressor. This decompressor implementation did not correctly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in BSD compress allow code words not only matching, but also exceeding the first free entry. It seems this compress implementation first appeared in BSD around 1985, and was later used in various other code base, such as ncompress and gzip. Other components that contain affected code will be listed below. Following page list the version of the code as was used in 4.3BSD: <a href="http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/compress/compress.c">http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/compress/compress.c</a> Relevant code appears in the decompress() routine: /* * Special case for KwKwK string. */ if ( code &gt;= free_ent ) { *stackp++ = finchar; code = oldcode; } This allows creating a loop in the decompression table, which leads to an "infinite" loop: /* * Generate output characters in reverse order */ #ifdef SIGNED_COMPARE_SLOW while ( ((unsigned long)code) &gt;= ((unsigned long)256) ) { #else while ( code &gt;= 256 ) { #endif *stackp++ = tab_suffixof(code); code = tab_prefixof(code); } where tab_prefixof is: unsigned short codetab [HSIZE]; #define codetabof(i) codetab[i] #define tab_prefixof(i) codetabof(i) This overflows de_stack "buffer" (part of the htab[]): count_int htab [HSIZE]; # define tab_suffixof(i) ((char_type *)(htab))[i] # define de_stack ((char_type *)&amp;tab_suffixof(1&lt;&lt;BITS)) Depending on the relative htab[] and codetab[] positions, de_stack overflow may overwrite codetab[] entries, which may break infinite loop and let program continue its execution with possibly corrupted memory.

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
FreeType=2.1.9
X.Org LibXfont<=1.4.3
X.Org LibXfont=1.2.0
X.Org LibXfont=1.2.1
X.Org LibXfont=1.2.2
X.Org LibXfont=1.2.3
X.Org LibXfont=1.2.4
X.Org LibXfont=1.2.5
X.Org LibXfont=1.2.6
X.Org LibXfont=1.2.7
X.Org LibXfont=1.2.8
X.Org LibXfont=1.2.9
X.Org LibXfont=1.3.0
X.Org LibXfont=1.3.1
X.Org LibXfont=1.3.2
X.Org LibXfont=1.3.3
X.Org LibXfont=1.3.4
X.Org LibXfont=1.4.0
X.Org LibXfont=1.4.1
X.Org LibXfont=1.4.2
FreeBSD FreeBSD
NetBSD NetBSD
OpenBSD<=3.7
OpenBSD=2.0
OpenBSD=2.1
OpenBSD=2.2
OpenBSD=2.3
OpenBSD=2.4
OpenBSD=2.5
OpenBSD=2.6
OpenBSD=2.7
OpenBSD=2.8
OpenBSD=2.9
OpenBSD=3.0
OpenBSD=3.1
OpenBSD=3.2
OpenBSD=3.3
OpenBSD=3.4
OpenBSD=3.5
OpenBSD=3.6

Remedy

http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0

Remedy

http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html

Remedy

http://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.html

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=725760

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203