CVE-2010-0001

NameCVE-2010-0001
DescriptionInteger underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms, as used in ncompress and probably others, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1974-1, DSA-2074-1
NVD severitymedium (attack range: remote)
Debian Bugs566002

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
busybox (PTS)wheezy1:1.20.0-7fixed
jessie1:1.22.0-9+deb8u1fixed
stretch1:1.22.0-19fixed
buster, sid1:1.27.2-1fixed
gzip (PTS)wheezy1.5-1.1fixed
jessie1.6-4fixed
buster, sid, stretch1.6-5fixed
klibc (PTS)wheezy2.0.1-3.1fixed
jessie2.0.4-2fixed
buster, sid, stretch2.0.4-9fixed
ncompress (PTS)wheezy4.2.4.4-5fixed
jessie4.2.4.4-9fixed
stretch4.2.4.4-16fixed
buster, sid4.2.4.4-18fixed
pristine-tar (PTS)wheezy1.25+deb7u1fixed
jessie1.33fixed
stretch1.38fixed
buster, sid1.42fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
busyboxsource(unstable)(not affected)
gzipsource(unstable)1.3.12-9medium566002
gzipsourceetch1.3.5-15+etch1mediumDSA-1974-1
gzipsourcelenny1.3.12-6+lenny1mediumDSA-1974-1
klibcsource(unstable)(not affected)
linux-2.6source(unstable)(not affected)
ncompresssource(unstable)4.2.4.3-1medium
ncompresssourcelenny4.2.4.2-1+lenny1mediumDSA-2074-1
pristine-tarsource(unstable)(not affected)

Notes

- linux-2.6 <not-affected> (does not include unlzw.c in its gzip code copy)
- klibc <not-affected> (does not include unlzw.c in its gzip code copy)
- busybox <not-affected> (does not include unlzw.c in its gzip code copy)
- pristine-tar <not-affected> (does not include unlzw.c in its gzip code copy)

Search for package or bug name: Reporting problems