high
7
Advisory Published
Updated

REDHAT-BUG-727624

First published: Tue Aug 02 2011(Updated: )

BSD compress implemented an LZW compressor and decompressor. This decompressor implementation did not correctly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in BSD compress allow code words not only matching, but also exceeding the first free entry. It seems this compress implementation first appeared in BSD around 1985, and was later used in various other code base, such as ncompress and gzip. Other components that contain affected code will be listed below. Following page list the version of the code as was used in 4.3BSD: <a href="http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/compress/compress.c">http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/compress/compress.c</a> Relevant code appears in the decompress() routine: /* * Special case for KwKwK string. */ if ( code &gt;= free_ent ) { *stackp++ = finchar; code = oldcode; } This allows creating a loop in the decompression table, which leads to an "infinite" loop: /* * Generate output characters in reverse order */ #ifdef SIGNED_COMPARE_SLOW while ( ((unsigned long)code) &gt;= ((unsigned long)256) ) { #else while ( code &gt;= 256 ) { #endif *stackp++ = tab_suffixof(code); code = tab_prefixof(code); } where tab_prefixof is: unsigned short codetab [HSIZE]; #define codetabof(i) codetab[i] #define tab_prefixof(i) codetabof(i) This overflows de_stack "buffer" (part of the htab[]): count_int htab [HSIZE]; # define tab_suffixof(i) ((char_type *)(htab))[i] # define de_stack ((char_type *)&amp;tab_suffixof(1&lt;&lt;BITS)) Depending on the relative htab[] and codetab[] positions, de_stack overflow may overwrite codetab[] entries, which may break infinite loop and let program continue its execution with possibly corrupted memory.

Affected SoftwareAffected VersionHow to fix
BSD compress>=1985
BSD compress
gzip
SUSE Ncompress

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of REDHAT-BUG-727624?

    The severity of REDHAT-BUG-727624 is considered to be critical due to the potential for arbitrary code execution.

  • How do I fix REDHAT-BUG-727624?

    To fix REDHAT-BUG-727624, update to the patched versions of BSD compress, GNU gzip, or any affected software as provided by the vendor.

  • Which software is affected by REDHAT-BUG-727624?

    The software affected by REDHAT-BUG-727624 includes BSD compress, GNU gzip, and ncompress.

  • What type of vulnerability is REDHAT-BUG-727624?

    REDHAT-BUG-727624 is a vulnerability in the LZW decompression implementation that can lead to denial of service or arbitrary code execution.

  • Is REDHAT-BUG-727624 likely to be exploited in the wild?

    Yes, REDHAT-BUG-727624 could be exploited in the wild due to its critical nature and the common usage of the affected software.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203