CERT-FI Advisory on GNU gzip

Details

Two vulnerabilities related to the handling of compressed files were found in gzip. The first vulnerability (CVE-2009-2624) results from missing input sanitation of dynamic Huffman codes, and the second vulnerability (CVE-2010-0001) is an integer underflow in the handling of files compressed with the Lempel–Ziv–Welch (LZW) compression algorithm. The second vulnerability only affects 64 bit systems. A remote attacker could exploit the vulnerabilities with a specially-crafted gzip compressed data archive. Opening the archive file could lead to denial of service (gzip crash) or, potentially, to arbitrary code execution with the privileges of the user running gzip.

CERT-FI coordinated the remediation effort of the vulnerabilities.

Vulnerability Coordination Information and Acknowledgements

CERT-FI has coordinated the release of these vulnerabilities between the vulnerability researcher and the affected vendors. CERT-FI would like to thank the Oulu University Secure Programming Group (OUSPG) for reporting the vulnerabilities to us, and Red Hat and Jim Meyering for co-operation in the remediation efforts.

Vendor Information

• GNU gzip versions from 1.3.3 to 1.3.14 are affected. The latest version 1.4 is not affected.
  

Remediation

Install either a fixed version of the GNU gzip or a fixed version provided by your software distribution.

References

• http://savannah.gnu.org/forum/forum.php?forum_id=6153
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2624
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0001
• http://www.mandriva.com/security/advisories?name=MDVSA-2010:019
• http://www.mandriva.com/security/advisories?name=MDVSA-2010:020
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566002
• http://www.debian.org/security/2010/dsa-2074
• CVE-2009-2624
• CVE-2010-0001
• https://www.ee.oulu.fi/research/ouspg
• http://jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-001086.html
• http://support.apple.com/kb/HT4435
  

Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference [FICORA #216853] in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at
https://www.cert.fi/en/activities/contact/pgp-keys.html

The CERT-FI vulnerability coordination policy can be viewed at https://www.cert.fi/en/activities/Vulncoord/vulncoord-policy.html.

Revision History

21 Jan 2010, 14:57 UTC: Published
4 Jun 2010, 13:37 UTC: Added JVNDB reference
26 Jul 2010, 10:54 UTC: Added Debian advisory
15 Nov 2010, 8:00 UTC: Added Apple advisory

Page updated 15.11.2010

Print version