Vulnerability Note VU#176363

ncompress vulnerable to buffer overflow via long filename

Original Release date: 31 Jul 2002 | Last revised: 10 Aug 2002

Overview

Some versions of ncompress contain a buffer-overflow vulnerability.

Description

Versions 4.2.4 and earlier of ncompress do not properly handle filenames longer than 1023 characters.

Impact

By supplying long filenames to ncompress, an attacker may be able to gain local access to the server or force ncompress to execute arbitrary code.

Solution

Obtain a patch from your vendor.

Remove ncompress or remove execute permissions.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
DebianUnknown29 Jan 200231 Jul 2002
Hewlett-Packard CompanyUnknown29 Jan 200231 Jul 2002
IBM-zSeriesUnknown29 Jan 200231 Jul 2002
MandrakeSoftUnknown29 Jan 200231 Jul 2002
SequentUnknown29 Jan 200231 Jul 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Pavel Kankovsky for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: Unknown
  • Date Public: 20 Nov 2001
  • Date First Published: 31 Jul 2002
  • Date Last Updated: 10 Aug 2002
  • Severity Metric: 0.92
  • Document Revision: 10

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.