NetBSD Security Advisory 2011-007: LZW decoding loop on manipulated compressed files

To: NetBSD current users <current-users%NetBSD.org@localhost>
Subject: NetBSD Security Advisory 2011-007: LZW decoding loop on manipulated compressed files
From: NetBSD Security Officer <security-officer%NetBSD.org@localhost>
Date: Wed, 21 Sep 2011 19:15:22 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 NetBSD Security Advisory 2011-007
                 =================================

Topic:          LZW decoding loop on manipulated compressed files


Version:        NetBSD-current:         source prior to Aug 17th, 2011
                NetBSD 5.0.*:           affected
                NetBSD 5.0:             affected
                NetBSD 5.1:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected

Severity:       Denial of Service, possible Information Leak

Fixed:          NetBSD-current:         Aug 16th, 2011
                NetBSD-5-0 branch:      Aug 19th, 2011
                        (5.0.3 will include the fix)
                NetBSD-5-1 branch:      Aug 19th, 2011
                        (5.1.1 will include the fix)
                NetBSD-5 branch:        Aug 19th, 2011
                NetBSD-4-0 branch:      Aug 19th, 2011
                NetBSD-4 branch:        Aug 19th, 2011

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A highly compressable input file could overflow the uncompression stack
in libXfont. Also, specially crafted compressed files could cause gzip(1)
and compress(1) to go into an endless loop or overflow their uncompression
stack.

This vulnerability has been assigned CVE-2011-2895.


Technical Details
=================

There are two different issues termed "lzw uncompress issue".

The first one is libXfont and the corresponding copy in XFree86's server.
It contains a broken size definition of the uncompression stack.
If you create a highly compressable input file (e.g. from /dev/zero)
and pipe it through compress(1), the result can trivially overflow
the decompression stack.

For gzip(1) and compress(1), there was an issue with the input validation.
If the LZW input stream was manipulated to contain code words larger
than the current free entry, the decompressor would access uninitialised
memory. Depending on the content of this region, it is possible that
the output processing would loop or overflow the output stack.

While freetype and freetype2 have the same input validation issue, they
are protected by the use of memset(3) on some internal tables.

Both libarchive and GNU gzip contain the necessary input validation to
avoid the problem.


Solutions and Workarounds
=========================

Via download:
+++++++++++++
Download base.tgz and xbase.tgz from
  http://nyftp.netbsd.org/pub/NetBSD-daily/<version>/<date>/<arch>/binary/sets/
or a mirror, with version being eg netbsd-4, date being a build version,
and arch being the appropriate architecture.

Install the downloaded files via eg
        # cd /
        # tar xzpf /path/to/base.tgz
        # tar xzpf /path/to/xbase.tgz

If you have been running any X11 server or client binaries on your
machine, you will have to restart them now, or to reboot the machine
in order to ensure all bits of vulnerable code have been purged from
memory.

Via building:
+++++++++++++
Patch, recompile, and reinstall the library and binaries.

libXfont:

  Xorg: FILE xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c

  CVS branch    Revision
  ------------- --------------
  HEAD          1.3
  netbsd-5-0    1.1.1.1.4.2
  netbsd-5-1    1.1.1.1.2.1.2.1
  netbsd-5      1.1.1.1.2.2

  XFree86: FILE xsrc/xfree/xc/lib/font/fontfile/decompress.c

  CVS branch    Revision
  ------------- --------------
  HEAD          1.2
  netbsd-5-0    1.1.1.4.24.1
  netbsd-5-1    1.1.1.4.26.1
  netbsd-5      1.1.1.4.22.1
  netbsd-4-0    1.1.1.4.20.1
  netbsd-4      1.1.1.4.18.1

compress:

  CVS branch    file                                    revision
  ------------- ----------------                        --------
  HEAD          src/usr.bin/compress/zopen.c            1.15
  netbsd-5-0    src/usr.bin/compress/zopen.c            1.12.14.1
  netbsd-5-1    src/usr.bin/compress/zopen.c            1.12.18.1
  netbsd-5      src/usr.bin/compress/zopen.c            1.12.10.1
  netbsd-4-0    src/usr.bin/compress/zopen.c            1.8.22.1
  netbsd-4      src/usr.bin/compress/zopen.c            1.8.18.1

gzip:

  CVS branch    file                                    revision
  ------------- ----------------                        --------
  HEAD          src/usr.bin/gzip/zuncompress.c          1.11
  netbsd-5-0    src/usr.bin/gzip/zuncompress.c          1.6.32.1
  netbsd-5-1    src/usr.bin/gzip/zuncompress.c          1.6.36.1
  netbsd-5      src/usr.bin/gzip/zuncompress.c          1.6.28.1
  netbsd-4-0    src/usr.bin/gzip/zuncompress.c          1.6.16.1
  netbsd-4      src/usr.bin/gzip/zuncompress.c          1.6.6.1

The following instructions briefly summarize how to update and
recompile the involved library and binaries. Replace:

  VERSION  with the fixed version from the appropriate CVS branch
           (from the above table)
  FILE     with the name of the file from the above table

For libXfont:
depending on your architecture and release version you will be using
XFree86 or Xorg. NetBSD-4 only has XFree, in later versions check by running
ls -l /usr/X11R?/man/man5/xorg.conf.5; its presence implies Xorg.
        # cd <where your xsrc is>
        # cvs update -r VERSION FILE

For compress and gzip, each:
        # cd <where your src is>
        # cvs update -r VERSION FILE

Then build and install:
        # cd src
        # ./build.sh -x -u <your other options> distribution
        # ./build.sh install=/


Thanks To
=========

Thanks to Joerg Sonnenberger for providing the fixes.


Revision History
================

        2011-09-20      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-007.txt,v 1.1 2011/09/20 08:14:22 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOeEzFAAoJEAZJc6xMSnBuMgUQAM4JlhaDl84S9Gi1YB2r3vsF
+jl7bbwmPCRSMUZCxwsjraorSE++KvcNCOe+cYCPt8Jb6cBwJGeILtQsQpqb671e
gJwvUwMIJ5GXrmKzTcFcHW5d6yUJthU6ZvO8ftifobGeAgtS/9tOuaLMpsD9MQhj
EV33plHETDAQg0PZV6biIUiHD00vBJn1VXPFTPhoiq6mObmHy7huQ3X2bw5YZaBJ
f31wJxiUtgmEqK2nTS61ADerzUJTlIwHRCW401UUsSfi3aH7hB67U8aaa6Q1yaOY
RPtL1bm6mK6QxYxgUC7k4MeTAAirct34KIlO8miTCU1uw16sgIeTGL2MFZuccXW3
M7oPoRqPxQpuHhLnHhYz71AvhH1rqXRaGqn+d9cHbNNow1HQqLFUEY5BC1tSd83R
EodStDaZuhmdDT1P1QwczQtcJWGjJk40WS5VfQCwftnxZ5gcqTPKnNXsChOiKKCK
xUlP6azKpFjQ99iEtVFhT8K4b0bX6GOAhz/UZ1Or2quqlgHQAtzvDyKlrhWSsIro
gu8bR58D5bbfxBXNsLEQLGk2DFyjohEJvBOLQEyb0LiFvj7YCAISGdh0RWXn042K
nseijmE/4ZNev+ILX2X4njPXdNvNdttg//7WrDnfM8np7v8BTOogEiq0eILcMkNB
5z3J0XtLbJRNlbErRb/+
=Jzk2
-----END PGP SIGNATURE-----

Prev by Date: Re: Experiments with suspend machdep.sleep_state=3 on thinkpad T500
Next by Date: build break - port amd64 - usr/lib/librumpfs_syspuffs.so
Previous by Thread: daily CVS update output
Next by Thread: build break - port amd64 - usr/lib/librumpfs_syspuffs.so
Indexes:

Home | Main Index | Thread Index | Old Index