Vulnerability Note VU#773548
gzip contains a .bss buffer overflow in its LZH handling
The gzip program contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code or create a denial-of-service condition.
The gzip program is used to compress and decompress archived files. Some implementations of gzip include support for the LZH compression algorithm.
A buffer overflow vulnerability exists in the way gzip handles certain files compressed with the LZH algorithm. An attacker may be able to exploit this vulnerability by convincing a user to open a specially crafted gzip file.
A remote, unauthenticated attacker may be able to execute arbitrary code or create a denial-of-service condition.
Upgrade or apply a patch from the vendor
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer, Inc.||Affected||08 Sep 2006||05 Dec 2006|
|Debian GNU/Linux||Affected||-||04 Oct 2006|
|FreeBSD, Inc.||Affected||08 Sep 2006||29 Sep 2006|
|Openwall GNU/*/Linux||Affected||08 Sep 2006||20 Sep 2006|
|Red Hat, Inc.||Affected||08 Sep 2006||20 Sep 2006|
|Slackware Linux Inc.||Affected||08 Sep 2006||25 Sep 2006|
|Ubuntu||Affected||08 Sep 2006||22 Sep 2006|
|Computer Associates||Not Affected||08 Sep 2006||27 Jul 2007|
|Force10 Networks, Inc.||Not Affected||08 Sep 2006||22 Jul 2011|
|Global Technology Associates||Not Affected||08 Sep 2006||18 Sep 2006|
|Hitachi||Not Affected||08 Sep 2006||20 Sep 2006|
|Intoto||Not Affected||08 Sep 2006||20 Sep 2006|
|3com, Inc.||Unknown||08 Sep 2006||08 Sep 2006|
|Aladdin Knowledge Systems||Unknown||08 Sep 2006||08 Sep 2006|
|Alcatel||Unknown||08 Sep 2006||08 Sep 2006|
CVSS Metrics (Learn More)
Thanks to Tavis Ormandy, Google Security Team for reporting this issue.
This document was written by Ryan Giobbi.
- CVE IDs: CVE-2006-4337
- Date Public: 19 Jun 2006
- Date First Published: 19 Sep 2006
- Date Last Updated: 22 Jul 2011
- Severity Metric: 1.57
- Document Revision: 43
If you have feedback, comments, or additional information about this vulnerability, please send us email.