Vulnerability Note VU#176363
ncompress vulnerable to buffer overflow via long filename
Overview
Some versions of ncompress contain a buffer-overflow vulnerability.
Description
Versions 4.2.4 and earlier of ncompress do not properly handle filenames longer than 1023 characters. |
Impact
By supplying long filenames to ncompress, an attacker may be able to gain local access to the server or force ncompress to execute arbitrary code. |
Solution
Obtain a patch from your vendor. |
Remove ncompress or remove execute permissions. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Debian | Unknown | 29 Jan 2002 | 31 Jul 2002 |
| Hewlett-Packard Company | Unknown | 29 Jan 2002 | 31 Jul 2002 |
| IBM-zSeries | Unknown | 29 Jan 2002 | 31 Jul 2002 |
| MandrakeSoft | Unknown | 29 Jan 2002 | 31 Jul 2002 |
| Sequent | Unknown | 29 Jan 2002 | 31 Jul 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
Credit
Thanks to Pavel Kankovsky for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
Other Information
- CVE IDs: Unknown
- Date Public: 20 Nov 2001
- Date First Published: 31 Jul 2002
- Date Last Updated: 10 Aug 2002
- Severity Metric: 0.92
- Document Revision: 10
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.