CVE-2001-1413

NameCVE-2001-1413
DescriptionStack-based buffer overflow in the comprexx function for ncompress 4.2.4 and earlier, when used in situations that cross security boundaries (such as FTP server), may allow remote attackers to execute arbitrary code via a long filename argument.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ncompress (PTS)jessie4.2.4.4-9fixed
stretch4.2.4.4-16fixed
buster4.2.4.5-3fixed
bullseye4.2.4.6-4fixed
bookworm4.2.4.6-6fixed
sid, trixie5.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ncompresssource(unstable)4.2.4-15

Notes

not vulnerable according to http://web.archive.org/web/20070529152436/http://www.debian.org/security/nonvulns-sarge
discussion at:
http://archives.neohapsis.com/archives/linux/lsap/2001-q2/0081.html
listed sarge version contains a fix like the patch from Gentoo

Search for package or bug name: Reporting problems