The gzip program contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code or create a denial-of-service condition.
The gzip program is used to compress and decompress archived files. Some implementations of gzip include support for the LZH compression algorithm.
A buffer overflow vulnerability exists in the way gzip handles certain files compressed with the LZH algorithm. An attacker may be able to exploit this vulnerability by convincing a user to open a specially crafted gzip file.
Note that the attacker could either 1) convince a user to open a malicious gzip file, or 2) save the file in a place where another program would call gzip to decompress the archive.
A remote, unauthenticated attacker may be able to execute arbitrary code or create a denial-of-service condition.
Upgrade or apply a patch from the vendor
This issue has been addressed in gzip 1.3.6. See the systems affected section of this document for information about specific vendors.
Until updates can be applied, the following workarounds may mitigate the impact of this vulnerability:
* Do not decompress gzip files that are received from unknown sources. * Do not execute gzip with system-level privileges. * Some automated processes may rely on gzip to complete their tasks. When possible, disable such programs or do not allow them to execute gzip with root privileges.
Vendor| Status| Date Notified| Date Updated
Apple Computer, Inc.| | 08 Sep 2006| 05 Dec 2006
Debian GNU/Linux| | -| 04 Oct 2006
FreeBSD, Inc.| | 08 Sep 2006| 29 Sep 2006
Openwall GNU/*/Linux| | 08 Sep 2006| 20 Sep 2006
Red Hat, Inc.| | 08 Sep 2006| 20 Sep 2006
Slackware Linux Inc.| | 08 Sep 2006| 25 Sep 2006
Ubuntu| | 08 Sep 2006| 22 Sep 2006
Computer Associates| | 08 Sep 2006| 27 Jul 2007
Force10 Networks, Inc.| | 08 Sep 2006| 22 Jul 2011
Global Technology Associates| | 08 Sep 2006| 18 Sep 2006
Hitachi| | 08 Sep 2006| 20 Sep 2006
Intoto| | 08 Sep 2006| 20 Sep 2006
3com, Inc.| | 08 Sep 2006| 08 Sep 2006
Aladdin Knowledge Systems| | 08 Sep 2006| 08 Sep 2006
Alcatel| | 08 Sep 2006| 08 Sep 2006
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Thanks to Tavis Ormandy, Google Security Team for reporting this issue.
This document was written by Ryan Giobbi.