ID CVE-2006-1168
Summary The decompress function in compress42.c in (1) ncompress 4.2.4 and (2) liblzw allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow.
References
Vulnerable Configurations
  • cpe:2.3:a:ncompress:ncompress:4.2.4
    cpe:2.3:a:ncompress:ncompress:4.2.4
CVSS
Base: 7.5 (as of 14-08-2006 - 16:29)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0168.NASL
    description An updated rhev-hypervisor5 package that fixes several security issues and various bugs is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor5 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query() function. An attacker able to send certain IGMP (Internet Group Management Protocol) packets to a target system could use this flaw to cause a denial of service. (CVE-2012-0207) A double free flaw was discovered in the policy checking code in OpenSSL. A remote attacker could use this flaw to crash an application that uses OpenSSL by providing an X.509 certificate that has specially crafted policy extension data. (CVE-2011-4109) An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576) It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619) Red Hat would like to thank Nicolae Mogoreanu for reporting CVE-2012-0029, and Simon McVittie for reporting CVE-2012-0207. This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2006-1168 and CVE-2011-2716 (busybox issues) CVE-2009-5029, CVE-2009-5064, CVE-2010-0830 and CVE-2011-1089 (glibc issues) CVE-2011-1083, CVE-2011-3638, CVE-2011-4086, CVE-2011-4127 and CVE-2012-0028 (kernel issues) CVE-2011-1526 (krb5 issue) CVE-2011-4347 (kvm issue) CVE-2010-4008, CVE-2011-0216, CVE-2011-2834, CVE-2011-3905, CVE-2011-3919 and CVE-2011-1944 (libxml2 issues) CVE-2011-1749 (nfs-utils issue) CVE-2011-4108 (openssl issue) CVE-2011-0010 (sudo issue) CVE-2011-1675 and CVE-2011-1677 (util-linux issues) CVE-2010-0424 (vixie-cron issue) This updated rhev-hypervisor5 package fixes various bugs. Documentation of these changes will be available shortly in the Technical Notes document : https://docs.redhat.com/docs/en-US/ Red_Hat_Enterprise_Virtualization_for_Servers/2.2/html/Technical_Notes / index.html Users of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which fixes these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 79283
    published 2014-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79283
    title RHEL 5 : rhev-hypervisor5 (RHSA-2012:0168)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0663.NASL
    description Updated ncompress packages that address a security issue and fix bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The ncompress package contains file compression and decompression utilities, which are compatible with the original UNIX compress utility (.Z file extensions). Tavis Ormandy of the Google Security Team discovered a lack of bounds checking in ncompress. An attacker could create a carefully crafted file that could execute arbitrary code if uncompressed by a victim. (CVE-2006-1168) In addition, two bugs that affected Red Hat Enterprise Linux 4 ncompress packages were fixed : * The display statistics and compression results in verbose mode were not shown when operating on zero length files. * An attempt to compress zero length files resulted in an unexpected return code. Users of ncompress are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22338
    published 2006-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22338
    title CentOS 3 / 4 : ncompress (CESA-2006:0663)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0663.NASL
    description Updated ncompress packages that address a security issue and fix bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The ncompress package contains file compression and decompression utilities, which are compatible with the original UNIX compress utility (.Z file extensions). Tavis Ormandy of the Google Security Team discovered a lack of bounds checking in ncompress. An attacker could create a carefully crafted file that could execute arbitrary code if uncompressed by a victim. (CVE-2006-1168) In addition, two bugs that affected Red Hat Enterprise Linux 4 ncompress packages were fixed : * The display statistics and compression results in verbose mode were not shown when operating on zero length files. * An attempt to compress zero length files resulted in an unexpected return code. Users of ncompress are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 22345
    published 2006-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22345
    title RHEL 2.1 / 3 / 4 : ncompress (RHSA-2006:0663)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0810.NASL
    description Updated busybox packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716) This update also fixes the following bugs : * Prior to this update, the 'findfs' command did not recognize Btrfs partitions. As a consequence, an error message could occur when dumping a core file. This update adds support for recognizing such partitions so the problem no longer occurs. (BZ#751927) * If the 'grep' command was used with the '-F' and '-i' options at the same time, the '-i' option was ignored. As a consequence, the 'grep -iF' command incorrectly performed a case-sensitive search instead of an insensitive search. A patch has been applied to ensure that the combination of the '-F' and '-i' options works as expected. (BZ#752134) * Prior to this update, the msh shell did not support the 'set -o pipefail' command. This update adds support for this command. (BZ#782018) * Previously, the msh shell could terminate unexpectedly with a segmentation fault when attempting to execute an empty command as a result of variable substitution (for example msh -c '$nonexistent_variable'). With this update, msh has been modified to correctly interpret such commands and no longer crashes in this scenario. (BZ#809092) * Previously, the msh shell incorrectly executed empty loops. As a consequence, msh never exited such a loop even if the loop condition was false, which could cause scripts using the loop to become unresponsive. With this update, msh has been modified to execute and exit empty loops correctly, so that hangs no longer occur. (BZ#752132) All users of busybox are advised to upgrade to these updated packages, which contain backported patches to fix these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 59586
    published 2012-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59586
    title RHEL 6 : busybox (RHSA-2012:0810)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-140.NASL
    description Tavis Ormandy, of the Google Security Team, discovered that ncompress, when uncompressing data, performed no bounds checking, which could allow a specially crafted datastream to underflow a .bss buffer with attacker controlled data. Updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 23889
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23889
    title Mandrake Linux Security Advisory : ncompress (MDKSA-2006:140)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2012-103.NASL
    description A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. (CVE-2011-2716)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 69593
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69593
    title Amazon Linux AMI : busybox (ALAS-2012-103)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0810.NASL
    description From Red Hat Security Advisory 2012:0810 : Updated busybox packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716) This update also fixes the following bugs : * Prior to this update, the 'findfs' command did not recognize Btrfs partitions. As a consequence, an error message could occur when dumping a core file. This update adds support for recognizing such partitions so the problem no longer occurs. (BZ#751927) * If the 'grep' command was used with the '-F' and '-i' options at the same time, the '-i' option was ignored. As a consequence, the 'grep -iF' command incorrectly performed a case-sensitive search instead of an insensitive search. A patch has been applied to ensure that the combination of the '-F' and '-i' options works as expected. (BZ#752134) * Prior to this update, the msh shell did not support the 'set -o pipefail' command. This update adds support for this command. (BZ#782018) * Previously, the msh shell could terminate unexpectedly with a segmentation fault when attempting to execute an empty command as a result of variable substitution (for example msh -c '$nonexistent_variable'). With this update, msh has been modified to correctly interpret such commands and no longer crashes in this scenario. (BZ#809092) * Previously, the msh shell incorrectly executed empty loops. As a consequence, msh never exited such a loop even if the loop condition was false, which could cause scripts using the loop to become unresponsive. With this update, msh has been modified to execute and exit empty loops correctly, so that hangs no longer occur. (BZ#752132) All users of busybox are advised to upgrade to these updated packages, which contain backported patches to fix these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68550
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68550
    title Oracle Linux 6 : busybox (ELSA-2012-0810)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201312-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-201312-02 (BusyBox: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in BusyBox. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send a specially crafted DHCP request to possibly execute arbitrary code or cause Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 71168
    published 2013-12-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71168
    title GLSA-201312-02 : BusyBox: Multiple vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2012-129.NASL
    description Multiple vulnerabilities was found and corrected in busybox : The decompress function in ncompress allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow (CVE-2006-1168). A missing DHCP option checking / sanitization flaw was reported for multiple DHCP clients. This flaw may allow DHCP server to trick DHCP clients to set e.g. system hostname to a specially crafted value containing shell special characters. Various scripts assume that hostname is trusted, which may lead to code execution when hostname is specially crafted (CVE-2011-2716). Additionally for Mandriva Enterprise Server 5 various problems in the ka-deploy and uClibc packages was discovered and fixed with this advisory. The updated packages have been patched to correct these issues. Update : The wrong set of packages was sent out with the MDVSA-2012:129 advisory that lacked the fix for CVE-2006-1168. This advisory provides the correct packages.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 61978
    published 2012-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61978
    title Mandriva Linux Security Advisory : busybox (MDVSA-2012:129-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200610-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-200610-03 (ncompress: Buffer Underflow) Tavis Ormandy of the Google Security Team discovered a static buffer underflow in ncompress. Impact : An attacker could create a specially crafted LZW archive, that when decompressed by a user or automated system would result in the execution of arbitrary code with the permissions of the user invoking the utility. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 22522
    published 2006-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22522
    title GLSA-200610-03 : ncompress: Buffer Underflow
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1149.NASL
    description Tavis Ormandy from the Google Security Team discovered a missing boundary check in ncompress, the original Lempel-Ziv compress and uncompress programs, which allows a specially crafted datastream to underflow a buffer with attacker controlled data.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22691
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22691
    title Debian DSA-1149-1 : ncompress - buffer underflow
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0308.NASL
    description From Red Hat Security Advisory 2012:0308 : Updated busybox packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716) This update also fixes the following bugs : * Prior to this update, the cp command wrongly returned the exit code 0 to indicate success if a device ran out of space while attempting to copy files of more than 4 gigabytes. This update modifies BusyBox, so that in such situations, the exit code 1 is returned. Now, the cp command shows correctly whether a process failed. (BZ#689659) * Prior to this update, the findfs command failed to check all existing block devices on a system with thousands of block device nodes in '/dev/'. This update modifies BusyBox so that findfs checks all block devices even in this case. (BZ#756723) All users of busybox are advised to upgrade to these updated packages, which correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68479
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68479
    title Oracle Linux 5 : busybox (ELSA-2012-0308)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-0810.NASL
    description Updated busybox packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716) This update also fixes the following bugs : * Prior to this update, the 'findfs' command did not recognize Btrfs partitions. As a consequence, an error message could occur when dumping a core file. This update adds support for recognizing such partitions so the problem no longer occurs. (BZ#751927) * If the 'grep' command was used with the '-F' and '-i' options at the same time, the '-i' option was ignored. As a consequence, the 'grep -iF' command incorrectly performed a case-sensitive search instead of an insensitive search. A patch has been applied to ensure that the combination of the '-F' and '-i' options works as expected. (BZ#752134) * Prior to this update, the msh shell did not support the 'set -o pipefail' command. This update adds support for this command. (BZ#782018) * Previously, the msh shell could terminate unexpectedly with a segmentation fault when attempting to execute an empty command as a result of variable substitution (for example msh -c '$nonexistent_variable'). With this update, msh has been modified to correctly interpret such commands and no longer crashes in this scenario. (BZ#809092) * Previously, the msh shell incorrectly executed empty loops. As a consequence, msh never exited such a loop even if the loop condition was false, which could cause scripts using the loop to become unresponsive. With this update, msh has been modified to execute and exit empty loops correctly, so that hangs no longer occur. (BZ#752132) All users of busybox are advised to upgrade to these updated packages, which contain backported patches to fix these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 59921
    published 2012-07-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59921
    title CentOS 6 : busybox (CESA-2012:0810)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20120221_BUSYBOX_ON_SL5_X.NASL
    description BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Scientific Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716) This update also fixes the following bugs : - Prior to this update, the cp command wrongly returned the exit code 0 to indicate success if a device ran out of space while attempting to copy files of more than 4 gigabytes. This update modifies BusyBox, so that in such situations, the exit code 1 is returned. Now, the cp command shows correctly whether a process failed. - Prior to this update, the findfs command failed to check all existing block devices on a system with thousands of block device nodes in '/dev/'. This update modifies BusyBox so that findfs checks all block devices even in this case. All users of busybox are advised to upgrade to these updated packages, which correct these issues.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61257
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61257
    title Scientific Linux Security Update : busybox on SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_NCOMPRESS-1911.NASL
    description Lack of bounds checking in the decompression routine could result in a heap buffer underflow. Attackers could potentially exploit this to execute arbitrary code by tricking users into decompressing a specially crafted archive. (CVE-2006-1168)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29527
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29527
    title SuSE 10 Security Update : ncompress (ZYPP Patch Number 1911)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0308.NASL
    description Updated busybox packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716) This update also fixes the following bugs : * Prior to this update, the cp command wrongly returned the exit code 0 to indicate success if a device ran out of space while attempting to copy files of more than 4 gigabytes. This update modifies BusyBox, so that in such situations, the exit code 1 is returned. Now, the cp command shows correctly whether a process failed. (BZ#689659) * Prior to this update, the findfs command failed to check all existing block devices on a system with thousands of block device nodes in '/dev/'. This update modifies BusyBox so that findfs checks all block devices even in this case. (BZ#756723) All users of busybox are advised to upgrade to these updated packages, which correct these issues.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 58062
    published 2012-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58062
    title RHEL 5 : busybox (RHSA-2012:0308)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0663.NASL
    description From Red Hat Security Advisory 2006:0663 : Updated ncompress packages that address a security issue and fix bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The ncompress package contains file compression and decompression utilities, which are compatible with the original UNIX compress utility (.Z file extensions). Tavis Ormandy of the Google Security Team discovered a lack of bounds checking in ncompress. An attacker could create a carefully crafted file that could execute arbitrary code if uncompressed by a victim. (CVE-2006-1168) In addition, two bugs that affected Red Hat Enterprise Linux 4 ncompress packages were fixed : * The display statistics and compression results in verbose mode were not shown when operating on zero length files. * An attempt to compress zero length files resulted in an unexpected return code. Users of ncompress are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67406
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67406
    title Oracle Linux 3 / 4 : ncompress (ELSA-2006-0663)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20120620_BUSYBOX_ON_SL6_X.NASL
    description BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Scientific Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716) This update also fixes the following bugs : - Prior to this update, the 'findfs' command did not recognize Btrfs partitions. As a consequence, an error message could occur when dumping a core file. This update adds support for recognizing such partitions so the problem no longer occurs. - If the 'grep' command was used with the '-F' and '-i' options at the same time, the '-i' option was ignored. As a consequence, the 'grep -iF' command incorrectly performed a case-sensitive search instead of an insensitive search. A patch has been applied to ensure that the combination of the '-F' and '-i' options works as expected. - Prior to this update, the msh shell did not support the 'set -o pipefail' command. This update adds support for this command. - Previously, the msh shell could terminate unexpectedly with a segmentation fault when attempting to execute an empty command as a result of variable substitution (for example msh -c '$nonexistent_variable'). With this update, msh has been modified to correctly interpret such commands and no longer crashes in this scenario. - Previously, the msh shell incorrectly executed empty loops. As a consequence, msh never exited such a loop even if the loop condition was false, which could cause scripts using the loop to become unresponsive. With this update, msh has been modified to execute and exit empty loops correctly, so that hangs no longer occur. All users of busybox are advised to upgrade to these updated packages, which contain backported patches to fix these issues.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61337
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61337
    title Scientific Linux Security Update : busybox on SL6.x i386/x86_64
oval via4
accepted 2013-04-29T04:19:01.332-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description The decompress function in compress42.c in (1) ncompress 4.2.4 and (2) liblzw allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow.
family unix
id oval:org.mitre.oval:def:9373
status accepted
submitted 2010-07-09T03:56:16-04:00
title The decompress function in compress42.c in (1) ncompress 4.2.4 and (2) liblzw allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow.
version 22
redhat via4
advisories
  • bugzilla
    id 201335
    title CVE-2006-1168 Possibility to underflow a .bss buffer with attacker controlled data
    oval
    OR
    • AND
      comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhba:tst:20070026001
    • AND
      comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    rhsa
    id RHSA-2006:0663
    released 2006-09-12
    severity Low
    title RHSA-2006:0663: ncompress security update (Low)
  • rhsa
    id RHSA-2012:0810
rpms
  • busybox-1:1.2.0-13.el5
  • busybox-anaconda-1:1.2.0-13.el5
  • busybox-1:1.15.1-15.el6
  • busybox-petitboot-1:1.15.1-15.el6
refmap via4
bid 19455
confirm
debian DSA-1149
gentoo GLSA-200610-03
mandriva
  • MDKSA-2006:140
  • MDVSA-2012:129
misc
sectrack 1016836
secunia
  • 21427
  • 21434
  • 21437
  • 21467
  • 21880
  • 22036
  • 22296
  • 22377
sgi 20060901-01-P
suse SUSE-SR:2006:020
vupen ADV-2006-3234
xf ncompress-decompress-underflow(28315)
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 18-04-2013 - 21:52
Published 14-08-2006 - 16:04
Last modified 10-10-2017 - 21:30
Back to Top