Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2011-007: LZW decoding loop on manipulated compressed files

Hash: SHA1

                 NetBSD Security Advisory 2011-007

Topic:          LZW decoding loop on manipulated compressed files

Version:        NetBSD-current:         source prior to Aug 17th, 2011
                NetBSD 5.0.*:           affected
                NetBSD 5.0:             affected
                NetBSD 5.1:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected

Severity:       Denial of Service, possible Information Leak

Fixed:          NetBSD-current:         Aug 16th, 2011
                NetBSD-5-0 branch:      Aug 19th, 2011
                        (5.0.3 will include the fix)
                NetBSD-5-1 branch:      Aug 19th, 2011
                        (5.1.1 will include the fix)
                NetBSD-5 branch:        Aug 19th, 2011
                NetBSD-4-0 branch:      Aug 19th, 2011
                NetBSD-4 branch:        Aug 19th, 2011

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


A highly compressable input file could overflow the uncompression stack
in libXfont. Also, specially crafted compressed files could cause gzip(1)
and compress(1) to go into an endless loop or overflow their uncompression

This vulnerability has been assigned CVE-2011-2895.

Technical Details

There are two different issues termed "lzw uncompress issue".

The first one is libXfont and the corresponding copy in XFree86's server.
It contains a broken size definition of the uncompression stack.
If you create a highly compressable input file (e.g. from /dev/zero)
and pipe it through compress(1), the result can trivially overflow
the decompression stack.

For gzip(1) and compress(1), there was an issue with the input validation.
If the LZW input stream was manipulated to contain code words larger
than the current free entry, the decompressor would access uninitialised
memory. Depending on the content of this region, it is possible that
the output processing would loop or overflow the output stack.

While freetype and freetype2 have the same input validation issue, they
are protected by the use of memset(3) on some internal tables.

Both libarchive and GNU gzip contain the necessary input validation to
avoid the problem.

Solutions and Workarounds

Via download:
Download base.tgz and xbase.tgz from<version>/<date>/<arch>/binary/sets/
or a mirror, with version being eg netbsd-4, date being a build version,
and arch being the appropriate architecture.

Install the downloaded files via eg
        # cd /
        # tar xzpf /path/to/base.tgz
        # tar xzpf /path/to/xbase.tgz

If you have been running any X11 server or client binaries on your
machine, you will have to restart them now, or to reboot the machine
in order to ensure all bits of vulnerable code have been purged from

Via building:
Patch, recompile, and reinstall the library and binaries.


  Xorg: FILE xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c

  CVS branch    Revision
  ------------- --------------
  HEAD          1.3

  XFree86: FILE xsrc/xfree/xc/lib/font/fontfile/decompress.c

  CVS branch    Revision
  ------------- --------------
  HEAD          1.2


  CVS branch    file                                    revision
  ------------- ----------------                        --------
  HEAD          src/usr.bin/compress/zopen.c            1.15
  netbsd-5-0    src/usr.bin/compress/zopen.c  
  netbsd-5-1    src/usr.bin/compress/zopen.c  
  netbsd-5      src/usr.bin/compress/zopen.c  
  netbsd-4-0    src/usr.bin/compress/zopen.c  
  netbsd-4      src/usr.bin/compress/zopen.c  


  CVS branch    file                                    revision
  ------------- ----------------                        --------
  HEAD          src/usr.bin/gzip/zuncompress.c          1.11
  netbsd-5-0    src/usr.bin/gzip/zuncompress.c
  netbsd-5-1    src/usr.bin/gzip/zuncompress.c
  netbsd-5      src/usr.bin/gzip/zuncompress.c
  netbsd-4-0    src/usr.bin/gzip/zuncompress.c
  netbsd-4      src/usr.bin/gzip/zuncompress.c

The following instructions briefly summarize how to update and
recompile the involved library and binaries. Replace:

  VERSION  with the fixed version from the appropriate CVS branch
           (from the above table)
  FILE     with the name of the file from the above table

For libXfont:
depending on your architecture and release version you will be using
XFree86 or Xorg. NetBSD-4 only has XFree, in later versions check by running
ls -l /usr/X11R?/man/man5/xorg.conf.5; its presence implies Xorg.
        # cd <where your xsrc is>
        # cvs update -r VERSION FILE

For compress and gzip, each:
        # cd <where your src is>
        # cvs update -r VERSION FILE

Then build and install:
        # cd src
        # ./ -x -u <your other options> distribution
        # ./ install=/

Thanks To

Thanks to Joerg Sonnenberger for providing the fixes.

Revision History

        2011-09-20      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-007.txt,v 1.1 2011/09/20 08:14:22 tonnerre Exp $

Version: GnuPG v1.4.11 (GNU/Linux)


Home | Main Index | Thread Index | Old Index