Vulnerability Note VU#596848

gzip contains an infinite loop vulnerability in its LZH handling

Original Release date: 19 Sep 2006 | Last revised: 22 Jul 2011

Overview

The gzip program contains a infinite loop vulnerability that may allow an attacker to create a denial-of-service condition.

Description

The gzip program is used to compress and decompress archived files.

A infinite loop vulnerability exists in the way gzip handles certain files. An attacker may be able to exploit this vulnerability by convincing a user to open a specially crafted gzip file.

Note that the attacker could either convince a user to open a malicious gzip file, or save the file in a place where another program would call gzip to decompress the archive.

Impact

A remote, unauthenticated attacker may be able to create a denial-of-service condition.

Solution

Upgrade
This issue has been addressed in gzip 1.3.6. See the systems affected section of this document for information about specific vendors.

Workarounds
Until updates can be applied, the following workarounds may mitigate the impact of this vulnerability:

  • Do not decompress gzip files that are received from unknown sources.
  • Do not execute gzip with system-level privileges.
  • Some automated processes may rely on gzip to complete their tasks. When possible, disable such programs or do not allow them to execute gzip with root privileges.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Affected19 Sep 200605 Dec 2006
Debian GNU/LinuxAffected-04 Oct 2006
FreeBSD, Inc.Affected19 Sep 200629 Sep 2006
Openwall GNU/*/LinuxAffected19 Sep 200620 Sep 2006
Red Hat, Inc.Affected19 Sep 200620 Sep 2006
Slackware Linux Inc.Affected19 Sep 200625 Sep 2006
UbuntuAffected19 Sep 200622 Sep 2006
Computer AssociatesNot Affected19 Sep 200627 Jul 2007
Force10 Networks, Inc.Not Affected19 Sep 200622 Jul 2011
Global Technology AssociatesNot Affected19 Sep 200620 Sep 2006
HitachiNot Affected19 Sep 200620 Sep 2006
IntotoNot Affected19 Sep 200620 Sep 2006
3com, Inc.Unknown19 Sep 200619 Sep 2006
Aladdin Knowledge SystemsUnknown19 Sep 200619 Sep 2006
AlcatelUnknown19 Sep 200619 Sep 2006
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Tavis Ormandy, Google Security Team for reporting this issue.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2006-4338
  • Date Public: 19 Jun 2006
  • Date First Published: 19 Sep 2006
  • Date Last Updated: 22 Jul 2011
  • Severity Metric: 0.31
  • Document Revision: 37

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.