Vulnerability Details : CVE-2009-2624
The huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka huffman) table that is too small, which allows remote attackers to cause a denial of service (application crash or infinite loop) or possibly execute arbitrary code via a crafted archive. NOTE: this issue is caused by a CVE-2006-4334 regression.
Vulnerability category: Input validationExecute codeDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2009-2624
Probability of exploitation activity in the next 30 days: 15.51%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 95 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-2624
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2009-2624
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-2624
-
Red Hat 2010-02-02Not vulnerable. This issue did not affect the versions of gzip as shipped with Red Hat Enterprise Linux 3, 4, or 5.
-
http://article.gmane.org/gmane.comp.gnu.gzip.bugs/258
-
http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
Apple - Lists.apple.com
-
http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=39a362ae9d9b007473381dba5032f4dfc1744cf2
-
http://www.debian.org/security/2010/dsa-1974
Debian -- Security Information -- DSA-1974-1 gzip
-
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html
[security-announce] SUSE Security Announcement: acoread (SUSE-SA:2010:00
-
http://support.apple.com/kb/HT4435
We're sorry.
-
http://www.mandriva.com/security/advisories?name=MDVSA-2010:020
mandriva.com
-
http://www.vupen.com/english/advisories/2010/0185
Webmail | OVH- OVH
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507263
-
http://www.ubuntu.com/usn/USN-889-1
USN-889-1: gzip vulnerabilities | Ubuntu security notices
-
https://bugzilla.redhat.com/show_bug.cgi?id=514711
- cpe:2.3:a:gnu:gzip:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.2.4a:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:gzip:1.3.4:*:*:*:*:*:*:*