Vulnerability Note VU#773548

gzip contains a .bss buffer overflow in its LZH handling

Original Release date: 19 Sep 2006 | Last revised: 22 Jul 2011

Overview

The gzip program contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code or create a denial-of-service condition.

Description

The gzip program is used to compress and decompress archived files. Some implementations of gzip include support for the LZH compression algorithm.

A buffer overflow vulnerability exists in the way gzip handles certain files compressed with the LZH algorithm. An attacker may be able to exploit this vulnerability by convincing a user to open a specially crafted gzip file.

Note that the attacker could either 1) convince a user to open a malicious gzip file, or 2) save the file in a place where another program would call gzip to decompress the archive.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or create a denial-of-service condition.

Solution

Upgrade or apply a patch from the vendor
This issue has been addressed in gzip 1.3.6. See the systems affected section of this document for information about specific vendors.

Workarounds
Until updates can be applied, the following workarounds may mitigate the impact of this vulnerability:

  • Do not decompress gzip files that are received from unknown sources.
  • Do not execute gzip with system-level privileges.
  • Some automated processes may rely on gzip to complete their tasks. When possible, disable such programs or do not allow them to execute gzip with root privileges.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Affected08 Sep 200605 Dec 2006
Debian GNU/LinuxAffected-04 Oct 2006
FreeBSD, Inc.Affected08 Sep 200629 Sep 2006
Openwall GNU/*/LinuxAffected08 Sep 200620 Sep 2006
Red Hat, Inc.Affected08 Sep 200620 Sep 2006
Slackware Linux Inc.Affected08 Sep 200625 Sep 2006
UbuntuAffected08 Sep 200622 Sep 2006
Computer AssociatesNot Affected08 Sep 200627 Jul 2007
Force10 Networks, Inc.Not Affected08 Sep 200622 Jul 2011
Global Technology AssociatesNot Affected08 Sep 200618 Sep 2006
HitachiNot Affected08 Sep 200620 Sep 2006
IntotoNot Affected08 Sep 200620 Sep 2006
3com, Inc.Unknown08 Sep 200608 Sep 2006
Aladdin Knowledge SystemsUnknown08 Sep 200608 Sep 2006
AlcatelUnknown08 Sep 200608 Sep 2006
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Tavis Ormandy, Google Security Team for reporting this issue.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2006-4337
  • Date Public: 19 Jun 2006
  • Date First Published: 19 Sep 2006
  • Date Last Updated: 22 Jul 2011
  • Severity Metric: 1.57
  • Document Revision: 43

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.