[gentoo-announce] [ GLSA 200609-13 ] gzip: Multiple vulnerabilities - gentoo-announce

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200609-13 ] gzip: Multiple vulnerabilities
Date:	Sat, 23 Sep 2006 06:57:24
Message-Id:	`200609230838.18020.jaervosz@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200609-13

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: gzip: Multiple vulnerabilities

9

      Date: September 23, 2006

10

      Bugs: #145511

11

        ID: 200609-13

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

gzip is affected by multiple vulnerabilities, including buffer

19

overflows and infinite loops, possibly allowing the execution of

20

arbitrary code.

21

22

Background

23

==========

24

25

gzip, the GNU zip compression utility, is a free and patent

26

unencumbered replacement for the standard compress utility.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package        /  Vulnerable  /                        Unaffected

33

    -------------------------------------------------------------------

34

  1  app-arch/gzip     < 1.3.5-r9                          >= 1.3.5-r9

35

36

Description

37

===========

38

39

Tavis Ormandy of the Google Security Team has reported multiple

40

vulnerabilities in gzip. A stack buffer modification vulnerability was

41

discovered in the LZH decompression code, where a pathological data

42

stream may result in the modification of stack data such as frame

43

pointer, return address or saved registers. A static buffer underflow

44

was discovered in the pack decompression support, allowing a specially

45

crafted pack archive to underflow a .bss buffer. A static buffer

46

overflow was uncovered in the LZH decompression code, allowing a data

47

stream consisting of pathological huffman codes to overflow a .bss

48

buffer. Multiple infinite loops were also uncovered in the LZH

49

decompression code.

50

51

Impact

52

======

53

54

A remote attacker may create a specially crafted gzip archive, which

55

when decompressed by a user or automated system exectues arbitrary code

56

with the privileges of the user id invoking gzip. The infinite loops

57

may be abused by an attacker to disrupt any automated systems invoking

58

gzip to handle data decompression.

59

60

Workaround

61

==========

62

63

There is no known workaround at this time.

64

65

Resolution

66

==========

67

68

All gzip users should upgrade to the latest version:

69

70

    # emerge --sync

71

    # emerge --ask --oneshot --verbose ">=app-arch/gzip-1.3.5-r9"

72

73

References

74

==========

75

76

  [ 1 ] CVE-2006-4334

77

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334

78

  [ 2 ] CVE-2006-4335

79

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335

80

  [ 3 ] CVE-2006-4336

81

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336

82

  [ 4 ] CVE-2006-4337

83

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337

84

  [ 5 ] CVE-2006-4338

85

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338

86

87

Availability

88

============

89

90

This GLSA and any updates to it are available for viewing at

91

the Gentoo Security Website:

92

93

  http://security.gentoo.org/glsa/glsa-200609-13.xml

94

95

Concerns?

96

=========

97

98

Security is a primary focus of Gentoo Linux and ensuring the

99

confidentiality and security of our users machines is of utmost

100

importance to us. Any security concerns should be addressed to

101

security@g.o or alternatively, you may file a bug at

102

http://bugs.gentoo.org.

103

104

License

105

=======

106

107

Copyright 2006 Gentoo Foundation, Inc; referenced text

108

belongs to its owner(s).

109

110

The contents of this document are licensed under the

111

Creative Commons - Attribution / Share Alike license.

112

113

http://creativecommons.org/licenses/by-sa/2.5

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200609-13
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: gzip: Multiple vulnerabilities
9	Date: September 23, 2006
10	Bugs: #145511
11	ID: 200609-13
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	gzip is affected by multiple vulnerabilities, including buffer
19	overflows and infinite loops, possibly allowing the execution of
20	arbitrary code.
21
22	Background
23	==========
24
25	gzip, the GNU zip compression utility, is a free and patent
26	unencumbered replacement for the standard compress utility.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 app-arch/gzip < 1.3.5-r9 >= 1.3.5-r9
35
36	Description
37	===========
38
39	Tavis Ormandy of the Google Security Team has reported multiple
40	vulnerabilities in gzip. A stack buffer modification vulnerability was
41	discovered in the LZH decompression code, where a pathological data
42	stream may result in the modification of stack data such as frame
43	pointer, return address or saved registers. A static buffer underflow
44	was discovered in the pack decompression support, allowing a specially
45	crafted pack archive to underflow a .bss buffer. A static buffer
46	overflow was uncovered in the LZH decompression code, allowing a data
47	stream consisting of pathological huffman codes to overflow a .bss
48	buffer. Multiple infinite loops were also uncovered in the LZH
49	decompression code.
50
51	Impact
52	======
53
54	A remote attacker may create a specially crafted gzip archive, which
55	when decompressed by a user or automated system exectues arbitrary code
56	with the privileges of the user id invoking gzip. The infinite loops
57	may be abused by an attacker to disrupt any automated systems invoking
58	gzip to handle data decompression.
59
60	Workaround
61	==========
62
63	There is no known workaround at this time.
64
65	Resolution
66	==========
67
68	All gzip users should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=app-arch/gzip-1.3.5-r9"
72
73	References
74	==========
75
76	[ 1 ] CVE-2006-4334
77	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334
78	[ 2 ] CVE-2006-4335
79	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
80	[ 3 ] CVE-2006-4336
81	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
82	[ 4 ] CVE-2006-4337
83	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337
84	[ 5 ] CVE-2006-4338
85	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338
86
87	Availability
88	============
89
90	This GLSA and any updates to it are available for viewing at
91	the Gentoo Security Website:
92
93	http://security.gentoo.org/glsa/glsa-200609-13.xml
94
95	Concerns?
96	=========
97
98	Security is a primary focus of Gentoo Linux and ensuring the
99	confidentiality and security of our users machines is of utmost
100	importance to us. Any security concerns should be addressed to
101	security@g.o or alternatively, you may file a bug at
102	http://bugs.gentoo.org.
103
104	License
105	=======
106
107	Copyright 2006 Gentoo Foundation, Inc; referenced text
108	belongs to its owner(s).
109
110	The contents of this document are licensed under the
111	Creative Commons - Attribution / Share Alike license.
112
113	http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce