From: Jim Meyering Date: Sun, 10 Jan 2010 16:13:01 +0000 (+0100) Subject: gzip -d: do not clobber stack for valid input on x86_64 X-Git-Tag: v1.4~2 X-Git-Url: https://git.gag.com/?a=commitdiff_plain;h=a3db5806d012082b9e25cc36d09f19cd736a468f;p=debian%2Fgzip gzip -d: do not clobber stack for valid input on x86_64 * unlzw.c (unlzw): Avoid integer overflow. Aki Helin reported the segfault along with an input to trigger the bug. * NEWS (Bug fixes): Mention it. --- diff --git a/NEWS b/NEWS index 3e50762..747253f 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,11 @@ GNU gzip NEWS -*- outline -*- ** Bug fixes + gzip -d could segfault and/or clobber the stack, possibly leading to + arbitrary code execution. This affects x86_64 but not 32-bit systems. + This fixes CVE-2010-0001. + For more details, see http://bugzilla.redhat.com/554418 + gzip -d would fail with a CRC error for some valid inputs. So far, the only valid input known to exhibit this failure was compressed "from FAT filesystem (MS-DOS, OS/2, NT)". In addition, diff --git a/THANKS b/THANKS index 4725543..183d39c 100644 --- a/THANKS +++ b/THANKS @@ -97,6 +97,7 @@ Harald Hanche-Olsen hanche@ams.sunysb.edu Darrel R. Hankerson hankedr@mail.auburn.edu Mark Hanning-Lee markhl@romeo.caltech.edu Lars Hecking st000002@hrz1.hrz.th-darmstadt.de +Aki Helin aki.helin@iki.fi Ruediger Helsch ruediger@ramz.ing.tu-bs.de Mark C. Henderson mch@sqwest.wimsey.bc.ca Karl Heuer karl@kelp.boston.ma.us diff --git a/unlzw.c b/unlzw.c index fb9ff76..8f8cbee 100644 --- a/unlzw.c +++ b/unlzw.c @@ -240,7 +240,8 @@ int unlzw(in, out) int o; resetbuf: - e = insize-(o = (posbits>>3)); + o = posbits >> 3; + e = o <= insize ? insize - o : 0; for (i = 0 ; i < e ; ++i) { inbuf[i] = inbuf[i+o];