CVE-2009-2624

2010-01-2918:30:00

CWE-20

[email protected]

web.nvd.nist.gov

huft_build

gzip

denial of service

application crash

infinite loop

arbitrary code

crafted archive

cve-2009-2624

9.5 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.155 Low

EPSS

Percentile

95.8%

JSON

The huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka huffman) table that is too small, which allows remote attackers to cause a denial of service (application crash or infinite loop) or possibly execute arbitrary code via a crafted archive. NOTE: this issue is caused by a CVE-2006-4334 regression.

CPENameOperatorVersion
gnu:gzipgnu gzipeq1.3.1
gnu:gzipgnu gzipeq1.3.8
gnu:gzipgnu gziple1.3.12
gnu:gzipgnu gzipeq1.3
gnu:gzipgnu gzipeq1.3.3
gnu:gzipgnu gzipeq1.3.11
gnu:gzipgnu gzipeq1.3.6
gnu:gzipgnu gzipeq1.3.2
gnu:gzipgnu gzipeq1.2.4
gnu:gzipgnu gzipeq1.3.10

CPE	Name	Operator	Version
gnu:gzip	gnu gzip	eq	1.3.1
gnu:gzip	gnu gzip	eq	1.3.8
gnu:gzip	gnu gzip	le	1.3.12
gnu:gzip	gnu gzip	eq	1.3
gnu:gzip	gnu gzip	eq	1.3.3
gnu:gzip	gnu gzip	eq	1.3.11
gnu:gzip	gnu gzip	eq	1.3.6
gnu:gzip	gnu gzip	eq	1.3.2
gnu:gzip	gnu gzip	eq	1.2.4
gnu:gzip	gnu gzip	eq	1.3.10