CVE-2010-0001

NameCVE-2010-0001
DescriptionInteger underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms, as used in ncompress and probably others, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1974-1, DSA-2074-1
Debian Bugs566002

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
busybox (PTS)buster1:1.30.1-4fixed
bullseye1:1.30.1-6fixed
bookworm, sid1:1.35.0-4fixed
gzip (PTS)buster, buster (security)1.9-3+deb10u1fixed
bullseye (security), bullseye1.10-4+deb11u1fixed
bookworm, sid1.12-1fixed
klibc (PTS)buster2.0.6-1+deb10u1fixed
bullseye2.0.8-6.1fixed
bookworm, sid2.0.12-1fixed
ncompress (PTS)buster4.2.4.5-3fixed
bullseye4.2.4.6-4fixed
bookworm, sid4.2.4.6-6fixed
pristine-tar (PTS)buster1.46fixed
bullseye1.49fixed
bookworm, sid1.50fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
busyboxsource(unstable)(not affected)
gzipsourceetch1.3.5-15+etch1DSA-1974-1
gzipsourcelenny1.3.12-6+lenny1DSA-1974-1
gzipsource(unstable)1.3.12-9medium566002
klibcsource(unstable)(not affected)
linux-2.6source(unstable)(not affected)
ncompresssourcelenny4.2.4.2-1+lenny1DSA-2074-1
ncompresssource(unstable)4.2.4.3-1
pristine-tarsource(unstable)(not affected)

Notes

- linux-2.6 <not-affected> (does not include unlzw.c in its gzip code copy)
- klibc <not-affected> (does not include unlzw.c in its gzip code copy)
- busybox <not-affected> (does not include unlzw.c in its gzip code copy)
- pristine-tar <not-affected> (does not include unlzw.c in its gzip code copy)
Search for package or bug name: Reporting problems