CVE-2010-0001

NameCVE-2010-0001
DescriptionInteger underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms, as used in ncompress and probably others, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1974-1, DSA-2074-1
Debian Bugs566002

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
busybox (PTS)bullseye1:1.30.1-6fixed
bookworm1:1.35.0-4fixed
sid, trixie1:1.37.0-4fixed
gzip (PTS)bullseye (security), bullseye1.10-4+deb11u1fixed
bookworm1.12-1fixed
sid, trixie1.12-1.2fixed
klibc (PTS)bullseye2.0.8-6.1fixed
bookworm2.0.12-1fixed
sid, trixie2.0.13-4fixed
ncompress (PTS)bullseye4.2.4.6-4fixed
bookworm4.2.4.6-6fixed
sid, trixie5.0-2fixed
pristine-tar (PTS)bullseye1.49fixed
bookworm1.50fixed
sid, trixie1.50+nmu2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
busyboxsource(unstable)(not affected)
gzipsourceetch1.3.5-15+etch1DSA-1974-1
gzipsourcelenny1.3.12-6+lenny1DSA-1974-1
gzipsource(unstable)1.3.12-9medium566002
klibcsource(unstable)(not affected)
linux-2.6source(unstable)(not affected)
ncompresssourcelenny4.2.4.2-1+lenny1DSA-2074-1
ncompresssource(unstable)4.2.4.3-1
pristine-tarsource(unstable)(not affected)

Notes

- linux-2.6 <not-affected> (does not include unlzw.c in its gzip code copy)
- klibc <not-affected> (does not include unlzw.c in its gzip code copy)
- busybox <not-affected> (does not include unlzw.c in its gzip code copy)
- pristine-tar <not-affected> (does not include unlzw.c in its gzip code copy)

Search for package or bug name: Reporting problems