Debian: DSA-2074-1: New ncompress packages fix execution of arbitrary code

    Date21 Jul 2010
    CategoryDebian
    26
    Posted ByLinuxSecurity Advisories
    Aki Helin discovered an integer underflow in ncompress, the original Lempel-Ziv compress/uncompress programs. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive.
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-2074-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                        Giuseppe Iuculano
    July 21, 2010                         http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : ncompress
    Vulnerability  : integer underflow
    Problem type   : local
    Debian-specific: no
    CVE Id         : CVE-2010-0001
    
    Aki Helin discovered an integer underflow in ncompress, the original
    Lempel-Ziv compress/uncompress programs.
    This could lead to the execution of arbitrary code when trying to decompress
    a crafted LZW compressed gzip archive.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 4.2.4.2-1+lenny1.
    
    For the testing (squeeze) and unstable (sid) distribution, this
    problem has been fixed in version 4.2.4.3-1.
    
    
    We recommend that you upgrade your ncompress package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1.dsc
        Size/MD5 checksum:     1001 540971822f1077df924611a0795d708c
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1.diff.gz
        Size/MD5 checksum:     7958 9e1082cc4b82240e9cd76b09f93adebb
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2.orig.tar.gz
        Size/MD5 checksum:    32978 53421df78cc9ff311ce0392e3a729920
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_alpha.deb
        Size/MD5 checksum:    25032 97104b799ed18dda40a495af691097e7
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_amd64.deb
        Size/MD5 checksum:    24058 ff6531d0a69fd6cffaeb66ef05bc5d53
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_arm.deb
        Size/MD5 checksum:    23852 7157e843f9066f7d20e07a83cba0b2e1
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_armel.deb
        Size/MD5 checksum:    23740 d4323cbb9d5938850b71514f1edd5ca0
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_hppa.deb
        Size/MD5 checksum:    25466 b276a1839ad20d5dc675a119c76e66e5
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_i386.deb
        Size/MD5 checksum:    23076 a53008254138090e760ec7a51d551bee
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_ia64.deb
        Size/MD5 checksum:    28200 a2736fb1efd14e676ac6a2cb1ec3da46
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_mips.deb
        Size/MD5 checksum:    24106 0b3cf882744400648ddefa54111ae540
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_mipsel.deb
        Size/MD5 checksum:    24204 8c85696714487268c4bf0adb0a9d31b9
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_powerpc.deb
        Size/MD5 checksum:    24476 98db6645c581ccd5cf35a8ca0ea28966
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_s390.deb
        Size/MD5 checksum:    23944 9e40760b9cfbe73ceb6180da37175892
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.2-1+lenny1_sparc.deb
        Size/MD5 checksum:    23860 a422335c694163587222691d9fa728ac
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.11,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.