fix bss buffer underflow CVE-2006-1168 (#201919)

ncompress-4.2.4-bssUnderflow.patch

@@ -0,0 +1,13 @@
+--- ncompress-4.2.4/compress42.c.bssUnderflow	2006-08-10 11:40:03.000000000 +0200
++++ ncompress-4.2.4/compress42.c	2006-08-10 11:40:31.000000000 +0200
+@@ -1689,6 +1689,10 @@
+ 
+ 				if (oldcode == -1)
+ 				{
++		                        if (code >= 256) {
++                	                        fprintf(stderr, "uncompress: corrupt input\n");
++                        	                abort_compress();
++                                	}
+ 					outbuf[outpos++] = (char_type)(finchar = (int)(oldcode = code));
+ 					continue;
+ 				}

ncompress.spec

@@ -1,7 +1,7 @@
 Summary: Fast compression and decompression utilities.
 Name: ncompress
 Version: 4.2.4
-Release: 44.1
+Release: 45
 License: distributable
 Group: Applications/File
 Source: ftp://metalab.unc.edu/pub/Linux/utils/compress/ncompress-4.2.4.tar.Z
@@ -10,6 +10,7 @@ Patch1: ncompress-4.2.4-lfs2.patch
 Patch2: ncompress-4.2.4-filenamelen.patch
 Patch3: ncompress-2GB.patch
 Patch4: ncompress-4.2.4-zerobyteforce.patch
+Patch5: ncompress-4.2.4-bssUnderflow.patch
 BuildRequires: gcc glibc-devel fileutils
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 
@@ -24,13 +25,13 @@ Install ncompress if you need compression/decompression utilities
 which are compatible with the original UNIX compress utility.
 
 %prep
-
 %setup -q
 %patch0 -p1
 %patch1 -p1 -b .lfs
 %patch2 -p1 -b .filenamelen
 %patch3 -p1 -b .2GB
 %patch4 -p1 -b .zerobyteforce
+%patch5 -p1 -b .bssUnderflow
 
 %build
 
@@ -69,6 +70,9 @@ rm -rf $RPM_BUILD_ROOT
 %doc LZW.INFO README
 
 %changelog
+* Thu Aug 10 2006 Peter Vrabec <pvrabec@redhat.com> 4.2.4-45
+- fix bss buffer underflow CVE-2006-1168 (#201919)
+
 * Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 4.2.4-44.1
 - rebuild