ncompress: Buffer Underflow — GLSA 200610-03

A buffer underflow vulnerability has been reported in ncompress allowing for the execution of arbitrary code.

Affected packages

Package 	app-arch/ncompress on all architectures
Affected versions 	< 4.2.4.1
Unaffected versions 	>= 4.2.4.1

Background

ncompress is a suite of utilities to create and extract Lempel-Ziff-Welch (LZW) compressed archives.

Description

Tavis Ormandy of the Google Security Team discovered a static buffer underflow in ncompress.

Impact

An attacker could create a specially crafted LZW archive, that when decompressed by a user or automated system would result in the execution of arbitrary code with the permissions of the user invoking the utility.

Workaround

There is no known workaround at this time.

Resolution

All ncompress users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-arch/ncompress-4.2.4.1"

References

    CVE-2006-1168