Debian Bug report logs - #507263
gzip: segfaults on deflate of malformed input file

version graph

Package: gzip; Maintainer for gzip is Bdale Garbee <bdale@gag.com>; Source for gzip is src:gzip.

Reported by: Thiemo Nagel <thiemo.nagel@ph.tum.de>

Date: Sat, 29 Nov 2008 15:06:01 UTC

Severity: normal

Tags: patch

Found in version gzip/1.3.12-6

Fixed in version gzip/1.3.12-8

Done: Carl Worth <cworth@cworth.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, thiemo.nagel@ph.tum.de, Bdale Garbee <bdale@gag.com>:
Bug#507263; Package gzip. (Sat, 29 Nov 2008 15:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thiemo Nagel <thiemo.nagel@ph.tum.de>:
New Bug report received and forwarded. Copy sent to thiemo.nagel@ph.tum.de, Bdale Garbee <bdale@gag.com>. (Sat, 29 Nov 2008 15:06:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thiemo Nagel <thiemo.nagel@ph.tum.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gzip: segfaults on deflate of malformed input file
Date: Sat, 29 Nov 2008 16:06:59 +0100
[Message part 1 (text/plain, inline)]
Package: gzip
Version: 1.3.12-6
Severity: normal
Tags: patch


A specific malformed input file (cf. attachment) either leads to gzip
crashing with segmentation violation or hanging in an endless loop.

Attached patch fixes the problem.

The issue doesn't look exploitable to me, but I'm not an expert.

Kind regards,

Thiemo Nagel

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.27.4-tn4 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages gzip depends on:
ii  debianutils                   2.30       Miscellaneous utilities specific t
ii  libc6                         2.7-16     GNU C Library: Shared libraries

gzip recommends no packages.

Versions of packages gzip suggests:
ii  less                          418-1      Pager program similar to more

-- no debconf information
[segv.gz (application/x-gzip, attachment)]
[gzip.patch (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#507263; Package gzip. (Sat, 24 Jan 2009 05:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carl Worth <cworth@cworth.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Sat, 24 Jan 2009 05:21:02 GMT) Full text and rfc822 format available.

Message #10 received at 507263@bugs.debian.org (full text, mbox):

From: Carl Worth <cworth@cworth.org>
To: 507263@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Thanks for the patch
Date: Sat, 24 Jan 2009 16:19:05 +1100
[Message part 1 (text/plain, inline)]
tags 507263 + pending
thanks

Thanks for the patch Thiemo. I've verified this and have it in a git
commit ready to push out into a new package release, (assuming Bdale
reviews and approves of course). But we'll wait for lenny to release and
for unstable to unfreeze before we push it.

-Carl

[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Carl Worth <cworth@cworth.org> to control@bugs.debian.org. (Sat, 24 Jan 2009 05:21:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#507263; Package gzip. (Sat, 24 Jan 2009 05:27:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carl Worth <cworth@cworth.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Sat, 24 Jan 2009 05:27:02 GMT) Full text and rfc822 format available.

Message #17 received at 507263@bugs.debian.org (full text, mbox):

From: Carl Worth <cworth@cworth.org>
To: bug-gzip@gnu.org
Cc: 507263@bugs.debian.org
Subject: Patch to avoid creating undersized hufts table
Date: Sat, 24 Jan 2009 16:23:40 +1100
[Message part 1 (text/plain, inline)]
Thiemo Nagel reported (to the Debian project) that a specially-crafted
file could cause gzip to segfault or hang. The file is attached below.

Also attached is a patch that addresses the problem. With this patch
attached, gzip will simply report a malformed input file and exit as
desired.

-Carl

[segv.gz (application/x-gzip, attachment)]
[0001-Avoid-creating-an-undersized-buffer-for-the-hufts-ta.patch (application/mbox, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Carl Worth <cworth@cworth.org>:
You have taken responsibility. (Fri, 27 Feb 2009 23:06:07 GMT) Full text and rfc822 format available.

Notification sent to Thiemo Nagel <thiemo.nagel@ph.tum.de>:
Bug acknowledged by developer. (Fri, 27 Feb 2009 23:06:07 GMT) Full text and rfc822 format available.

Message #22 received at 507263-close@bugs.debian.org (full text, mbox):

From: Carl Worth <cworth@cworth.org>
To: 507263-close@bugs.debian.org
Subject: Bug#507263: fixed in gzip 1.3.12-8
Date: Fri, 27 Feb 2009 22:47:04 +0000
Source: gzip
Source-Version: 1.3.12-8

We believe that the bug you reported is fixed in the latest version of
gzip, which is due to be installed in the Debian FTP archive:

gzip-win32_1.3.12-8_all.deb
  to pool/main/g/gzip/gzip-win32_1.3.12-8_all.deb
gzip_1.3.12-8.diff.gz
  to pool/main/g/gzip/gzip_1.3.12-8.diff.gz
gzip_1.3.12-8.dsc
  to pool/main/g/gzip/gzip_1.3.12-8.dsc
gzip_1.3.12-8_i386.deb
  to pool/main/g/gzip/gzip_1.3.12-8_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 507263@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Carl Worth <cworth@cworth.org> (supplier of updated gzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 27 Feb 2009 12:54:37 -0800
Source: gzip
Binary: gzip gzip-win32
Architecture: source all i386
Version: 1.3.12-8
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Carl Worth <cworth@cworth.org>
Description: 
 gzip       - GNU compression utilities
 gzip-win32 - The GNU compression utility (win32 build)
Closes: 168606 507263
Changes: 
 gzip (1.3.12-8) unstable; urgency=low
 .
   * Add Carl Worth as an uploader.
   * Fix "-f -" to work with zgrep, closes: #168606
   * Avoid creating undersized hufts table, closes: #507263
Checksums-Sha1: 
 6aca245548a3b7507781cfcfd584da8228b824bb 1029 gzip_1.3.12-8.dsc
 3c79c564ea2b047fce50b0bc2a4ced5a1836872c 15582 gzip_1.3.12-8.diff.gz
 a9fa608c238fa8a71c022d037199d4767e152b68 68372 gzip-win32_1.3.12-8_all.deb
 1a738064ed249bd499c6e40abe47d8f48818af00 102182 gzip_1.3.12-8_i386.deb
Checksums-Sha256: 
 1bb8cf7625ac35856442e24dfe58d04c82b1c74922e01b8ecdf021717f62f55e 1029 gzip_1.3.12-8.dsc
 3b1b8b9ca732469df6c4751d7fc522a015328c232397ff8107bc69a95d80f7ba 15582 gzip_1.3.12-8.diff.gz
 3f84cf378f2e20a2fb78b48e746cec6de1716eacae970f75b6a8d41a14f223b4 68372 gzip-win32_1.3.12-8_all.deb
 05c9a8df896527eacb5bb0653a4afccd6a7837910e7cc95330e499b56bf438c7 102182 gzip_1.3.12-8_i386.deb
Files: 
 19527801f602e394fdebfb9b603c8f69 1029 utils required gzip_1.3.12-8.dsc
 e35e4aea3d4d8d80cbcec86f1892aac6 15582 utils required gzip_1.3.12-8.diff.gz
 d09402bdce7e3a6387694533cf911307 68372 utils extra gzip-win32_1.3.12-8_all.deb
 425151756fe19eff4f91d46d1970b8ca 102182 utils required gzip_1.3.12-8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJqGkPZKfAp/LPAagRAtSIAJ9SzYo7IaYfXKWhCxhH3aOA02xzYwCfdWk7
y73DQW8JeVeaHbrHZE07MSM=
=4D4s
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Apr 2009 07:33:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:59:04 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.