CVE-2011-2895: Buffer Overflow
First published: Tue Aug 02 2011(Updated: )
BSD compress implemented an LZW compressor and decompressor. This decompressor implementation did not correctly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in BSD compress allow code words not only matching, but also exceeding the first free entry. It seems this compress implementation first appeared in BSD around 1985, and was later used in various other code base, such as ncompress and gzip. Other components that contain affected code will be listed below. Following page list the version of the code as was used in 4.3BSD: <a href="http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/compress/compress.c">http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/compress/compress.c</a> Relevant code appears in the decompress() routine: /* * Special case for KwKwK string. */ if ( code >= free_ent ) { *stackp++ = finchar; code = oldcode; } This allows creating a loop in the decompression table, which leads to an "infinite" loop: /* * Generate output characters in reverse order */ #ifdef SIGNED_COMPARE_SLOW while ( ((unsigned long)code) >= ((unsigned long)256) ) { #else while ( code >= 256 ) { #endif *stackp++ = tab_suffixof(code); code = tab_prefixof(code); } where tab_prefixof is: unsigned short codetab [HSIZE]; #define codetabof(i) codetab[i] #define tab_prefixof(i) codetabof(i) This overflows de_stack "buffer" (part of the htab[]): count_int htab [HSIZE]; # define tab_suffixof(i) ((char_type *)(htab))[i] # define de_stack ((char_type *)&tab_suffixof(1<<BITS)) Depending on the relative htab[] and codetab[] positions, de_stack overflow may overwrite codetab[] entries, which may break infinite loop and let program continue its execution with possibly corrupted memory.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openbsd Openbsd | =2.8 | |
| Freetype Freetype | =2.1.9 | |
| NetBSD NetBSD | ||
| X Libxfont | =1.2.1 | |
| X Libxfont | =1.2.7 | |
| X Libxfont | =1.2.6 | |
| Openbsd Openbsd | =3.1 | |
| X Libxfont | =1.3.3 | |
| Openbsd Openbsd | =3.3 | |
| Openbsd Openbsd | =2.9 | |
| X Libxfont | <=1.4.3 | |
| X Libxfont | =1.3.2 | |
| X Libxfont | =1.3.4 | |
| Openbsd Openbsd | =2.1 | |
| X Libxfont | =1.3.1 | |
| FreeBSD FreeBSD | ||
| Openbsd Openbsd | =2.2 | |
| X Libxfont | =1.4.0 | |
| Openbsd Openbsd | =2.0 | |
| Openbsd Openbsd | =2.7 | |
| X Libxfont | =1.2.4 | |
| X Libxfont | =1.2.9 | |
| X Libxfont | =1.4.1 | |
| Openbsd Openbsd | =3.2 | |
| Openbsd Openbsd | =2.4 | |
| X Libxfont | =1.2.0 | |
| Openbsd Openbsd | =3.6 | |
| Openbsd Openbsd | =3.0 | |
| X Libxfont | =1.2.3 | |
| X Libxfont | =1.2.5 | |
| Openbsd Openbsd | =3.5 | |
| X Libxfont | =1.2.8 | |
| Openbsd Openbsd | =2.6 | |
| X Libxfont | =1.3.0 | |
| Openbsd Openbsd | =2.5 | |
| X Libxfont | =1.4.2 | |
| Openbsd Openbsd | =2.3 | |
| Openbsd Openbsd | <=3.7 | |
| X Libxfont | =1.2.2 | |
| Openbsd Openbsd | =3.4 |
Remedy
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.ubuntu.com/usn/USN-1191-1
- http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html
- http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0
- https://bugzilla.redhat.com/show_bug.cgi?id=725760
- http://www.redhat.com/support/errata/RHSA-2011-1155.html
- http://secunia.com/advisories/45568
- http://www.openwall.com/lists/oss-security/2011/08/10/10
- http://securitytracker.com/id?1025920
- http://www.debian.org/security/2011/dsa-2293
- http://secunia.com/advisories/45544
- http://www.redhat.com/support/errata/RHSA-2011-1154.html
- http://www.securityfocus.com/bid/49124
- http://secunia.com/advisories/45599
- https://bugzilla.redhat.com/show_bug.cgi?id=727624
- http://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.html
- http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/compress/zopen.c#rev1.17
- http://www.redhat.com/support/errata/RHSA-2011-1161.html
- http://secunia.com/advisories/45986
- http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00019.html
- http://secunia.com/advisories/46127
- http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:153
- http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00004.html
- http://www.redhat.com/support/errata/RHSA-2011-1834.html
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://support.apple.com/kb/HT5130
- http://support.apple.com/kb/HT5281
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://secunia.com/advisories/48951
- https://support.apple.com/HT205635
- http://lists.apple.com/archives/security-announce/2015/Dec/msg00005.html
- https://support.apple.com/HT205637
- http://lists.apple.com/archives/security-announce/2015/Dec/msg00002.html
- http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.html
- https://support.apple.com/HT205641
- http://lists.apple.com/archives/security-announce/2015/Dec/msg00001.html
- https://support.apple.com/HT205640
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69141
- http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/compress/compress.c
- http://ncompress.git.sourceforge.net/git/gitweb.cgi?p=ncompress/ncompress;a=blob;f=compress.c;h=c16e1239#l1167
- http://git.savannah.gnu.org/gitweb/?p=gzip.git;a=blob;f=unlzw.c;h=63f941c6#l297
- http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3195#375
- http://git.busybox.net/busybox/tree/archival/libarchive/decompress_uncompress.c?id=833d4e7f#n220
- http://git.savannah.gnu.org/cgit/freetype/freetype2.git/log/src/lzw/zopen.c
- http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/lzw/zopen.c?id=a1c990a6#n251
- http://cgit.freedesktop.org/xorg/lib/libXfont/tree/src/fontfile/decompress.c?id=f29f1d68#n249
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=725760
- http://nail.cvs.sourceforge.net/viewvc/nail/nail/lzw.c?revision=1.4&view=markup#l511
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=516375
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=516375&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=727624#c1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=727624#c5
- https://access.redhat.com/security/cve/CVE-2006-1168
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=201919
- https://rhn.redhat.com/errata/RHSA-2011-1154.html
- https://rhn.redhat.com/errata/RHSA-2011-1155.html
- https://rhn.redhat.com/errata/RHSA-2011-1161.html
- https://rhn.redhat.com/errata/RHSA-2011-1834.html
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/references
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/author
- agent/tags
- agent/softwarecombine
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-2895
- vendor/openbsd
- canonical/openbsd openbsd
- version/openbsd openbsd/2.8
- vendor/freetype
- canonical/freetype freetype
- version/freetype freetype/2.1.9
- vendor/netbsd
- canonical/netbsd netbsd
- vendor/x
- canonical/x libxfont
- version/x libxfont/1.2.1
- version/x libxfont/1.2.7
- version/x libxfont/1.2.6
- version/openbsd openbsd/3.1
- version/x libxfont/1.3.3
- version/openbsd openbsd/3.3
- version/openbsd openbsd/2.9
- version/x libxfont/1.4.3
- version/x libxfont/1.3.2
- version/x libxfont/1.3.4
- version/openbsd openbsd/2.1
- version/x libxfont/1.3.1
- vendor/freebsd
- canonical/freebsd freebsd
- version/openbsd openbsd/2.2
- version/x libxfont/1.4.0
- version/openbsd openbsd/2.0
- version/openbsd openbsd/2.7
- version/x libxfont/1.2.4
- version/x libxfont/1.2.9
- version/x libxfont/1.4.1
- version/openbsd openbsd/3.2
- version/openbsd openbsd/2.4
- version/x libxfont/1.2.0
- version/openbsd openbsd/3.6
- version/openbsd openbsd/3.0
- version/x libxfont/1.2.3
- version/x libxfont/1.2.5
- version/openbsd openbsd/3.5
- version/x libxfont/1.2.8
- version/openbsd openbsd/2.6
- version/x libxfont/1.3.0
- version/openbsd openbsd/2.5
- version/x libxfont/1.4.2
- version/openbsd openbsd/2.3
- version/openbsd openbsd/3.7
- version/x libxfont/1.2.2
- version/openbsd openbsd/3.4