-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-007 ================================= Topic: LZW decoding loop on manipulated compressed files Version: NetBSD-current: source prior to Aug 17th, 2011 NetBSD 5.0.*: affected NetBSD 5.0: affected NetBSD 5.1: affected NetBSD 4.0.*: affected NetBSD 4.0: affected Severity: Denial of Service, possible Information Leak Fixed: NetBSD-current: Aug 16th, 2011 NetBSD-5-0 branch: Aug 19th, 2011 (5.0.3 will include the fix) NetBSD-5-1 branch: Aug 19th, 2011 (5.1.1 will include the fix) NetBSD-5 branch: Aug 19th, 2011 NetBSD-4-0 branch: Aug 19th, 2011 NetBSD-4 branch: Aug 19th, 2011 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A highly compressable input file could overflow the uncompression stack in libXfont. Also, specially crafted compressed files could cause gzip(1) and compress(1) to go into an endless loop or overflow their uncompression stack. This vulnerability has been assigned CVE-2011-2895. Technical Details ================= There are two different issues termed "lzw uncompress issue". The first one is libXfont and the corresponding copy in XFree86's server. It contains a broken size definition of the uncompression stack. If you create a highly compressable input file (e.g. from /dev/zero) and pipe it through compress(1), the result can trivially overflow the decompression stack. For gzip(1) and compress(1), there was an issue with the input validation. If the LZW input stream was manipulated to contain code words larger than the current free entry, the decompressor would access uninitialised memory. Depending on the content of this region, it is possible that the output processing would loop or overflow the output stack. While freetype and freetype2 have the same input validation issue, they are protected by the use of memset(3) on some internal tables. Both libarchive and GNU gzip contain the necessary input validation to avoid the problem. Solutions and Workarounds ========================= Via download: +++++++++++++ Download base.tgz and xbase.tgz from http://nyftp.netbsd.org/pub/NetBSD-daily////binary/sets/ or a mirror, with version being eg netbsd-4, date being a build version, and arch being the appropriate architecture. Install the downloaded files via eg # cd / # tar xzpf /path/to/base.tgz # tar xzpf /path/to/xbase.tgz If you have been running any X11 server or client binaries on your machine, you will have to restart them now, or to reboot the machine in order to ensure all bits of vulnerable code have been purged from memory. Via building: +++++++++++++ Patch, recompile, and reinstall the library and binaries. libXfont: Xorg: FILE xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c CVS branch Revision ------------- -------------- HEAD 1.3 netbsd-5-0 1.1.1.1.4.2 netbsd-5-1 1.1.1.1.2.1.2.1 netbsd-5 1.1.1.1.2.2 XFree86: FILE xsrc/xfree/xc/lib/font/fontfile/decompress.c CVS branch Revision ------------- -------------- HEAD 1.2 netbsd-5-0 1.1.1.4.24.1 netbsd-5-1 1.1.1.4.26.1 netbsd-5 1.1.1.4.22.1 netbsd-4-0 1.1.1.4.20.1 netbsd-4 1.1.1.4.18.1 compress: CVS branch file revision ------------- ---------------- -------- HEAD src/usr.bin/compress/zopen.c 1.15 netbsd-5-0 src/usr.bin/compress/zopen.c 1.12.14.1 netbsd-5-1 src/usr.bin/compress/zopen.c 1.12.18.1 netbsd-5 src/usr.bin/compress/zopen.c 1.12.10.1 netbsd-4-0 src/usr.bin/compress/zopen.c 1.8.22.1 netbsd-4 src/usr.bin/compress/zopen.c 1.8.18.1 gzip: CVS branch file revision ------------- ---------------- -------- HEAD src/usr.bin/gzip/zuncompress.c 1.11 netbsd-5-0 src/usr.bin/gzip/zuncompress.c 1.6.32.1 netbsd-5-1 src/usr.bin/gzip/zuncompress.c 1.6.36.1 netbsd-5 src/usr.bin/gzip/zuncompress.c 1.6.28.1 netbsd-4-0 src/usr.bin/gzip/zuncompress.c 1.6.16.1 netbsd-4 src/usr.bin/gzip/zuncompress.c 1.6.6.1 The following instructions briefly summarize how to update and recompile the involved library and binaries. Replace: VERSION with the fixed version from the appropriate CVS branch (from the above table) FILE with the name of the file from the above table For libXfont: depending on your architecture and release version you will be using XFree86 or Xorg. NetBSD-4 only has XFree, in later versions check by running ls -l /usr/X11R?/man/man5/xorg.conf.5; its presence implies Xorg. # cd # cvs update -r VERSION FILE For compress and gzip, each: # cd # cvs update -r VERSION FILE Then build and install: # cd src # ./build.sh -x -u distribution # ./build.sh install=/ Thanks To ========= Thanks to Joerg Sonnenberger for providing the fixes. Revision History ================ 2011-09-20 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-007.txt,v 1.1 2011/09/20 08:14:22 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJOeEzFAAoJEAZJc6xMSnBuMgUQAM4JlhaDl84S9Gi1YB2r3vsF +jl7bbwmPCRSMUZCxwsjraorSE++KvcNCOe+cYCPt8Jb6cBwJGeILtQsQpqb671e gJwvUwMIJ5GXrmKzTcFcHW5d6yUJthU6ZvO8ftifobGeAgtS/9tOuaLMpsD9MQhj EV33plHETDAQg0PZV6biIUiHD00vBJn1VXPFTPhoiq6mObmHy7huQ3X2bw5YZaBJ f31wJxiUtgmEqK2nTS61ADerzUJTlIwHRCW401UUsSfi3aH7hB67U8aaa6Q1yaOY RPtL1bm6mK6QxYxgUC7k4MeTAAirct34KIlO8miTCU1uw16sgIeTGL2MFZuccXW3 M7oPoRqPxQpuHhLnHhYz71AvhH1rqXRaGqn+d9cHbNNow1HQqLFUEY5BC1tSd83R EodStDaZuhmdDT1P1QwczQtcJWGjJk40WS5VfQCwftnxZ5gcqTPKnNXsChOiKKCK xUlP6azKpFjQ99iEtVFhT8K4b0bX6GOAhz/UZ1Or2quqlgHQAtzvDyKlrhWSsIro gu8bR58D5bbfxBXNsLEQLGk2DFyjohEJvBOLQEyb0LiFvj7YCAISGdh0RWXn042K nseijmE/4ZNev+ILX2X4njPXdNvNdttg//7WrDnfM8np7v8BTOogEiq0eILcMkNB 5z3J0XtLbJRNlbErRb/+ =Jzk2 -----END PGP SIGNATURE-----