Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2009-2624 CVE-2010-0001 CVE-2006-4334

Several vulnerabilities have been found in gzip, the GNU compression utilities. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2624 Thiemo Nagel discovered a missing input sanitation flaw in the way gzip used to decompress data blocks for dynamic Huffman codes, which could lead to the execution of arbitrary code when trying to decompress a crafted archive. This issue is a reappearance of CVE-2006-4334 and only affects the lenny version. CVE-2010-0001 Aki Helin discovered an integer underflow when decompressing files that are compressed using the LZW algorithm. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive. For the stable distribution (lenny), these problems have been fixed in version 1.3.12-6+lenny1. For the oldstable distribution (etch), these problems have been fixed in version 1.3.5-15+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your gzip packages.

Source

Debian Security Advisory

DSA-1974-1 gzip -- several vulnerabilities

Date Reported:

20 Jan 2010

Affected Packages:

gzip

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 507263.
In Mitre's CVE dictionary: CVE-2009-2624, CVE-2010-0001.

More information:

Several vulnerabilities have been found in gzip, the GNU compression utilities. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2009-2624
Thiemo Nagel discovered a missing input sanitation flaw in the way gzip used to decompress data blocks for dynamic Huffman codes, which could lead to the execution of arbitrary code when trying to decompress a crafted archive. This issue is a reappearance of CVE-2006-4334 and only affects the lenny version.
CVE-2010-0001
Aki Helin discovered an integer underflow when decompressing files that are compressed using the LZW algorithm. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive.

For the stable distribution (lenny), these problems have been fixed in version 1.3.12-6+lenny1.

For the oldstable distribution (etch), these problems have been fixed in version 1.3.5-15+etch4.

For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your gzip packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4.dsc; http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4.diff.gz; http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4_ia64.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch4_sparc.deb

Debian GNU/Linux 5.0 (lenny)

Source:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1.diff.gz; http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12.orig.tar.gz; http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1.dsc
Architecture-independent component:: http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12-6+lenny1_all.deb
Alpha:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_arm.deb
ARM EABI:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_armel.deb
HP Precision:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_ia64.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

DSA-1974-1 gzip -- several vulnerabilities

Debian Security Advisory

DSA-1974-1 gzip -- several vulnerabilities

Debian GNU/Linux 4.0 (etch)

Debian GNU/Linux 5.0 (lenny)

Vulmon Search

About

Products

Connect