RHSA-2004:536 - Security Advisory

Topic

An updated ncompress package that fixes a buffer overflow and problem in
the handling of files larger than 2 GB is now available.

Description

The ncompress package contains the compress and uncompress file compression
and decompression utilities, which are compatible with the original UNIX
compress utility (.Z file extensions).

A bug in the way ncompress handles long filenames has been discovered.
ncompress versions 4.2.4 and earlier contain a stack based buffer overflow
when handling very long filenames. It is possible that an attacker could
execute arbitrary code on a victims machine by tricking the user into
decompressing a carefully crafted filename. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2001-1413 to
this issue.

This updated ncompress package also fixes a problem in the handling of
files larger than 2 GB.

All users of ncompress should upgrade to this updated package, which
contains fixes for these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Affected Products

• Red Hat Enterprise Linux Server 2 ia64
• Red Hat Enterprise Linux Server 2 i386
• Red Hat Enterprise Linux Workstation 2 ia64
• Red Hat Enterprise Linux Workstation 2 i386

Fixes

• BZ - 126776 - [RHEL2.1] compress does not work if the file size is greater than 2GB
• BZ - 136661 - CAN-2001-1413 Stack-based buffer overflow in the comprexx function

CVEs

• CVE-2001-1413

References

(none)