Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» NetBSD » NetBSD -gzip buffer overrun with long filename

NetBSD -gzip buffer overrun with long filename

/usr/bin/gzip, a file compression program, does not properly check supplied filenames against its buffer size. It could lead to execution of arbitrary code under the privilege with which gzip is running.

  • Vendor: NetBSD
  • Vendor ID:
  • Date: March 13, 2002


There are ftp daemon programs that invoke gzip on demand (like wu-ftpd).
If your systems run these daemons, depending on the configuration it could
lead to a remote root compromise.


Technical Details
=================

http://www.securityfocus.com/bid/3712


Solutions and Workarounds
=========================


The following instructions describe how to upgrade your /usr/bin/gzip
binaries by updating your source tree and rebuilding and
installing a new version of /usr/bin/gzip.

* NetBSD-current:

Systems running NetBSD-current dated from before 2002-01-16
should be upgraded to NetBSD-current dated 2001-01-17 or later.

The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
gnu/usr.bin/gzip

To update from CVS, re-build, and re-install gzip:
# cd src
# cvs update -d -P gnu/usr.bin/gzip
# cd gnu/usr.bin/gzip

# make cleandir dependall
# make install


* NetBSD 1.5, 1.5.1, 1.5.2:

Systems running NetBSD 1.5, 1.5.1 or 1.5.2 sources dated from
before 2002-01-16 should be upgraded from NetBSD 1.5.*
sources dated 2002-01-17 or later.

NetBSD 1.5.3 will not be vulnerable.

The following directories need to be updated from the
netbsd-1-5 CVS branch:
gnu/usr.bin/gzip

To update from CVS, re-build, and re-install gzip:

# cd src
# cvs update -d -P gnu/usr.bin/gzip
# cd gnu/usr.bin/gzip

# make cleandir dependall
# make install

Alternatively, apply the following patch (with potential offset
differences):


ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-002-gzip.patch

To patch, re-build and re-install gzip(1):

# cd src/gnu/usr.bin/gzip
# patch

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »