Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Aug 2011 20:22:20 +0200
From: Tomas Hoger <thoger@...hat.com>
To: OSS Security <oss-security@...ts.openwall.com>
Subject: LZW decompression issues

Hi!

We've recently came across an issue in commonly re-used LZW
decompression implementations - original BSD compress and GIF reader
written by David Koblas.  Due to an insufficient input checking, invalid
LZW stream can create a loop in the decompression table, leading to the
decompression stack buffer overflow.

Following bugzillas list various code bases that were checked for the
issue and if they are affected or not:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2895
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2896

Many code bases are unaffected as the problem was fixed in the past,
so this is probably like N-th re-discovery of the issue.  Some previous
fixes were called security (CVE-2006-1168), some were not.  The problem
may not be security relevant, or have much security impact in all
currently affected code bases, though please mail the list if you come
across any other affected code base that is not already mentioned and
that may be worth fixing.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.