Vulnerability Note VU#381508

gzip contains an array out-of-bounds vulnerability in make_table()

Original Release date: 19 Sep 2006 | Last revised: 22 Jul 2011

Overview

The gzip program contains a stack modification vulnerability that may allow an attacker to execute arbitrary code, or create a denial-of-service condition..

Description

The gzip program is used to compress and decompress archived files.

A stack modification vulnerability exists in gzip. An attacker may be able to exploit this vulnerability by convincing a user to open a specially crafted gzip file.

Note that the attacker could either convince a user to open a malicious gzip file, or save the file in a place where another program would call gzip to decompress the archive.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code, or create a denial-of-service condition..

Solution

Upgrade
This issue has been addressed in gzip 1.3.6. See the systems affected section of this document for information about specific vendors.


Workarounds
Until updates can be applied, the following workarounds may mitigate the impact of this vulnerability:

  • Do not decompress gzip files that are received from unknown sources.
  • Do not execute gzip with system-level privileges.
  • Some automated processes may rely on gzip to complete their tasks. When possible, disable such programs or do not allow them to execute gzip with root privileges.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Affected08 Sep 200605 Dec 2006
Debian GNU/LinuxAffected-04 Oct 2006
FreeBSD, Inc.Affected08 Sep 200629 Sep 2006
Openwall GNU/*/LinuxAffected08 Sep 200620 Sep 2006
Red Hat, Inc.Affected08 Sep 200620 Sep 2006
Slackware Linux Inc.Affected08 Sep 200625 Sep 2006
UbuntuAffected08 Sep 200622 Sep 2006
Computer AssociatesNot Affected08 Sep 200627 Jul 2007
Force10 Networks, Inc.Not Affected08 Sep 200622 Jul 2011
Global Technology AssociatesNot Affected08 Sep 200618 Sep 2006
HitachiNot Affected08 Sep 200620 Sep 2006
3com, Inc.Unknown08 Sep 200608 Sep 2006
Aladdin Knowledge SystemsUnknown08 Sep 200608 Sep 2006
AlcatelUnknown08 Sep 200608 Sep 2006
AT&TUnknown08 Sep 200608 Sep 2006
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Tavis Ormandy, Google Security Team for reporting this issue.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2006-4335
  • Date Public: 19 Jun 2006
  • Date First Published: 19 Sep 2006
  • Date Last Updated: 22 Jul 2011
  • Severity Metric: 1.57
  • Document Revision: 55

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.