CVE-2011-2895: Buffer Overflow
First published: Tue Aug 02 2011(Updated: )
BSD compress implemented an LZW compressor and decompressor. This decompressor implementation did not correctly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in BSD compress allow code words not only matching, but also exceeding the first free entry. It seems this compress implementation first appeared in BSD around 1985, and was later used in various other code base, such as ncompress and gzip. Other components that contain affected code will be listed below. Following page list the version of the code as was used in 4.3BSD: <a href="http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/compress/compress.c">http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/compress/compress.c</a> Relevant code appears in the decompress() routine: /* * Special case for KwKwK string. */ if ( code >= free_ent ) { *stackp++ = finchar; code = oldcode; } This allows creating a loop in the decompression table, which leads to an "infinite" loop: /* * Generate output characters in reverse order */ #ifdef SIGNED_COMPARE_SLOW while ( ((unsigned long)code) >= ((unsigned long)256) ) { #else while ( code >= 256 ) { #endif *stackp++ = tab_suffixof(code); code = tab_prefixof(code); } where tab_prefixof is: unsigned short codetab [HSIZE]; #define codetabof(i) codetab[i] #define tab_prefixof(i) codetabof(i) This overflows de_stack "buffer" (part of the htab[]): count_int htab [HSIZE]; # define tab_suffixof(i) ((char_type *)(htab))[i] # define de_stack ((char_type *)&tab_suffixof(1<<BITS)) Depending on the relative htab[] and codetab[] positions, de_stack overflow may overwrite codetab[] entries, which may break infinite loop and let program continue its execution with possibly corrupted memory.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreeType | =2.1.9 | |
| Red Hat Libxfont | <=1.4.3 | |
| Red Hat Libxfont | =1.2.0 | |
| Red Hat Libxfont | =1.2.1 | |
| Red Hat Libxfont | =1.2.2 | |
| Red Hat Libxfont | =1.2.3 | |
| Red Hat Libxfont | =1.2.4 | |
| Red Hat Libxfont | =1.2.5 | |
| Red Hat Libxfont | =1.2.6 | |
| Red Hat Libxfont | =1.2.7 | |
| Red Hat Libxfont | =1.2.8 | |
| Red Hat Libxfont | =1.2.9 | |
| Red Hat Libxfont | =1.3.0 | |
| Red Hat Libxfont | =1.3.1 | |
| Red Hat Libxfont | =1.3.2 | |
| Red Hat Libxfont | =1.3.3 | |
| Red Hat Libxfont | =1.3.4 | |
| Red Hat Libxfont | =1.4.0 | |
| Red Hat Libxfont | =1.4.1 | |
| Red Hat Libxfont | =1.4.2 | |
| FreeBSD Kernel | ||
| NetBSD current | ||
| OpenBSD | <=3.7 | |
| OpenBSD | =2.0 | |
| OpenBSD | =2.1 | |
| OpenBSD | =2.2 | |
| OpenBSD | =2.3 | |
| OpenBSD | =2.4 | |
| OpenBSD | =2.5 | |
| OpenBSD | =2.6 | |
| OpenBSD | =2.7 | |
| OpenBSD | =2.8 | |
| OpenBSD | =2.9 | |
| OpenBSD | =3.0 | |
| OpenBSD | =3.1 | |
| OpenBSD | =3.2 | |
| OpenBSD | =3.3 | |
| OpenBSD | =3.4 | |
| OpenBSD | =3.5 | |
| OpenBSD | =3.6 |
Remedy
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.ubuntu.com/usn/USN-1191-1
- http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html
- http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0
- https://bugzilla.redhat.com/show_bug.cgi?id=725760
- http://www.redhat.com/support/errata/RHSA-2011-1155.html
- http://secunia.com/advisories/45568
- http://www.openwall.com/lists/oss-security/2011/08/10/10
- http://securitytracker.com/id?1025920
- http://www.debian.org/security/2011/dsa-2293
- http://secunia.com/advisories/45544
- http://www.redhat.com/support/errata/RHSA-2011-1154.html
- http://www.securityfocus.com/bid/49124
- http://secunia.com/advisories/45599
- https://bugzilla.redhat.com/show_bug.cgi?id=727624
- http://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.html
- http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/compress/zopen.c#rev1.17
- http://www.redhat.com/support/errata/RHSA-2011-1161.html
- http://secunia.com/advisories/45986
- http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00019.html
- http://secunia.com/advisories/46127
- http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:153
- http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00004.html
- http://www.redhat.com/support/errata/RHSA-2011-1834.html
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://support.apple.com/kb/HT5130
- http://support.apple.com/kb/HT5281
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://secunia.com/advisories/48951
- https://support.apple.com/HT205635
- http://lists.apple.com/archives/security-announce/2015/Dec/msg00005.html
- https://support.apple.com/HT205637
- http://lists.apple.com/archives/security-announce/2015/Dec/msg00002.html
- http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.html
- https://support.apple.com/HT205641
- http://lists.apple.com/archives/security-announce/2015/Dec/msg00001.html
- https://support.apple.com/HT205640
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69141
- http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/compress/compress.c
- http://ncompress.git.sourceforge.net/git/gitweb.cgi?p=ncompress/ncompress;a=blob;f=compress.c;h=c16e1239#l1167
- http://git.savannah.gnu.org/gitweb/?p=gzip.git;a=blob;f=unlzw.c;h=63f941c6#l297
- http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3195#375
- http://git.busybox.net/busybox/tree/archival/libarchive/decompress_uncompress.c?id=833d4e7f#n220
- http://git.savannah.gnu.org/cgit/freetype/freetype2.git/log/src/lzw/zopen.c
- http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/lzw/zopen.c?id=a1c990a6#n251
- http://cgit.freedesktop.org/xorg/lib/libXfont/tree/src/fontfile/decompress.c?id=f29f1d68#n249
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=725760
- http://nail.cvs.sourceforge.net/viewvc/nail/nail/lzw.c?revision=1.4&view=markup#l511
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=516375
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=516375&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=727624#c1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=727624#c5
- https://access.redhat.com/security/cve/CVE-2006-1168
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=201919
- https://rhn.redhat.com/errata/RHSA-2011-1154.html
- https://rhn.redhat.com/errata/RHSA-2011-1155.html
- https://rhn.redhat.com/errata/RHSA-2011-1161.html
- https://rhn.redhat.com/errata/RHSA-2011-1834.html
Frequently Asked Questions
What is the severity of CVE-2011-2895?
CVE-2011-2895 is classified as a high severity vulnerability due to its potential impact on security.
How do I fix CVE-2011-2895?
To fix CVE-2011-2895, upgrade the affected software to versions that have addressed the vulnerability.
Which software is affected by CVE-2011-2895?
CVE-2011-2895 affects FreeType 2.1.9 and multiple versions of the X.Org LibXfont library.
What type of vulnerability is CVE-2011-2895?
CVE-2011-2895 is a decompression vulnerability in the LZW compressor and decompressor implementation.
Can CVE-2011-2895 be exploited remotely?
Yes, CVE-2011-2895 can be exploited remotely if an attacker sends specially crafted compressed streams.
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-2895
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/weakness
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/freetype
- canonical/freetype
- version/freetype/2.1.9
- vendor/x
- canonical/red hat libxfont
- version/red hat libxfont/1.4.3
- version/red hat libxfont/1.2.0
- version/red hat libxfont/1.2.1
- version/red hat libxfont/1.2.2
- version/red hat libxfont/1.2.3
- version/red hat libxfont/1.2.4
- version/red hat libxfont/1.2.5
- version/red hat libxfont/1.2.6
- version/red hat libxfont/1.2.7
- version/red hat libxfont/1.2.8
- version/red hat libxfont/1.2.9
- version/red hat libxfont/1.3.0
- version/red hat libxfont/1.3.1
- version/red hat libxfont/1.3.2
- version/red hat libxfont/1.3.3
- version/red hat libxfont/1.3.4
- version/red hat libxfont/1.4.0
- version/red hat libxfont/1.4.1
- version/red hat libxfont/1.4.2
- vendor/freebsd
- canonical/freebsd kernel
- vendor/netbsd
- canonical/netbsd current
- vendor/openbsd
- canonical/openbsd
- version/openbsd/3.7
- version/openbsd/2.0
- version/openbsd/2.1
- version/openbsd/2.2
- version/openbsd/2.3
- version/openbsd/2.4
- version/openbsd/2.5
- version/openbsd/2.6
- version/openbsd/2.7
- version/openbsd/2.8
- version/openbsd/2.9
- version/openbsd/3.0
- version/openbsd/3.1
- version/openbsd/3.2
- version/openbsd/3.3
- version/openbsd/3.4
- version/openbsd/3.5
- version/openbsd/3.6