ID CVE-2006-4336
Summary Buffer underflow in the build_tree function in unpack.c in gzip 1.3.5 allows context-dependent attackers to execute arbitrary code via a crafted leaf count table that causes a write to a negative index.
References
Vulnerable Configurations
  • cpe:2.3:a:gzip:gzip:1.3.5
    cpe:2.3:a:gzip:gzip:1.3.5
CVSS
Base: 7.5 (as of 21-09-2006 - 14:18)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GZIP-2084.NASL
    description This update fixes several security problems that can be exploited to compromise the system in conjunction with other programs while processing malformated archive files. (CVE-2006-4334,CVE-2006-4335,CVE-2006-4336,CVE-2006-4337,CVE -2006-4338)
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27261
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27261
    title openSUSE 10 Security Update : gzip (gzip-2084)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-349-1.NASL
    description Tavis Ormandy discovered that gzip did not sufficiently verify the validity of gzip or compress archives while unpacking. By tricking an user or automated system into unpacking a specially crafted compressed file, this could be exploited to execute arbitrary code with the user's privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27929
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27929
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : gzip vulnerabilities (USN-349-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-167.NASL
    description NULL Dereference (CVE-2006-4334) A stack modification vulnerability (where a stack buffer can be modified out of bounds, but not in the traditional stack overrun sense) exists in the LZH decompression support of gzip. (CVE-2006-4335) A .bss buffer underflow exists in gzip's pack support, where a loop from build_tree() does not enforce any lower bound while constructing the prefix table. (CVE-2006-4336) A .bss buffer overflow vulnerability exists in gzip's LZH support, due to it's inability to handle exceptional input in the make_table() function, a pathological decoding table can be constructed in such a way as to generate counts so high that the rapid growth of `nextcode` exceeds the size of the table[] buffer. (CVE-2006-4337) A possible infinite loop exists in code from unlzh.c for traversing the branches of a tree structure. This makes it possible to disrupt the operation of automated systems relying on gzip for data decompression, resulting in a minor DoS. (CVE-2006-4338) Updated packages have been patched to address these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24553
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24553
    title Mandrake Linux Security Advisory : gzip (MDKSA-2006:167)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200611-24.NASL
    description The remote host is affected by the vulnerability described in GLSA-200611-24 (LHa: Multiple vulnerabilities) Tavis Ormandy of the Google Security Team discovered several vulnerabilities in the LZH decompression component used by LHa. The make_table function of unlzh.c contains an array index error and a buffer overflow vulnerability. The build_tree function of unpack.c contains a buffer underflow vulnerability. Additionally, unlzh.c contains a code that could run in an infinite loop. Impact : By enticing a user to uncompress a specially crafted archive, a remote attacker could cause a Denial of Service by CPU consumption or execute arbitrary code with the rights of the user running the application. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 23746
    published 2006-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23746
    title GLSA-200611-24 : LHa: Multiple vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0667.NASL
    description Updated gzip packages that fix several security issues are now available for Red Hat Enterprise Linux. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gzip package contains the GNU gzip data compression program. Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash. (CVE-2006-4334, CVE-2006-4338) Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code. (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337) Users of gzip should upgrade to these updated packages, which contain a backported patch and is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22422
    published 2006-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22422
    title CentOS 3 / 4 : gzip (CESA-2006:0667)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0667.NASL
    description Updated gzip packages that fix several security issues are now available for Red Hat Enterprise Linux. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gzip package contains the GNU gzip data compression program. Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash. (CVE-2006-4334, CVE-2006-4338) Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code. (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337) Users of gzip should upgrade to these updated packages, which contain a backported patch and is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 22442
    published 2006-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22442
    title RHEL 2.1 / 3 / 4 : gzip (RHSA-2006:0667)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0667.NASL
    description From Red Hat Security Advisory 2006:0667 : Updated gzip packages that fix several security issues are now available for Red Hat Enterprise Linux. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The gzip package contains the GNU gzip data compression program. Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash. (CVE-2006-4334, CVE-2006-4338) Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code. (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337) Users of gzip should upgrade to these updated packages, which contain a backported patch and is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67408
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67408
    title Oracle Linux 3 / 4 : gzip (ELSA-2006-0667)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_11A840928F9F11DBAB33000E0C2E438A.NASL
    description Problem Description Multiple programming errors have been found in gzip which can be triggered when gzip is decompressing files. These errors include insufficient bounds checks in buffer use, a NULL pointer dereference, and a potential infinite loop. Impact The insufficient bounds checks in buffer use can cause gzip to crash, and may permit the execution of arbitrary code. The NULL pointer deference can cause gzip to crash. The infinite loop can cause a Denial-of-Service situation where gzip uses all available CPU time. Workaround No workaround is available.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25437
    published 2007-06-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25437
    title FreeBSD : gzip -- multiple vulnerabilities (11a84092-8f9f-11db-ab33-000e0c2e438a)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-262-01.NASL
    description New gzip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix possible security issues.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 22421
    published 2006-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22421
    title Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : gzip (SSA:2006-262-01)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_11220.NASL
    description Several security issues with gzip have been found that can be exploited to compromise the system in conjunction with other programs while processing malformed archive files. The vulnerabilities have been tracked by Mitre CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337 and CVE-2006-4338.
    last seen 2019-02-21
    modified 2012-04-23
    plugin id 41099
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41099
    title SuSE9 Security Update : gzip (YOU Patch Number 11220)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GZIP-2085.NASL
    description This update fixes several security problems that can be exploited to compromise the system in conjunction with other programs while processing malformated archive files. (CVE-2006-4334 / CVE-2006-4335 / CVE-2006-4336 / CVE-2006-4337 / CVE-2006-4338)
    last seen 2019-02-21
    modified 2012-05-18
    plugin id 29458
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29458
    title SuSE 10 Security Update : gzip (ZYPP Patch Number 2085)
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHCO_35587.NASL
    description s700_800 11.11 Software Distributor Cumulative Patch : A potential security vulnerability has been identified with the version of GZIP delivered by HP-UX Software Distributor (SD). The vulnerability could be remotely exploited leading to a Denial of Service (DoS).
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 26120
    published 2007-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26120
    title HP-UX PHCO_35587 : HP-UX Running Software Distributor (SD), Remote Denial of Service (DoS) (HPSBUX02195 SSRT061237 rev.1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1181.NASL
    description Tavis Ormandy from the Google Security Team discovered several vulnerabilities in gzip, the GNU compression utility. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-4334 A NULL pointer dereference may lead to denial of service if gzip is used in an automated manner. - CVE-2006-4335 Missing boundary checks may lead to stack modification, allowing execution of arbitrary code. - CVE-2006-4336 A buffer underflow in the pack support code may lead to execution of arbitrary code. - CVE-2006-4337 A buffer underflow in the LZH support code may lead to execution of arbitrary code. - CVE-2006-4338 An infinite loop may lead to denial of service if gzip is used in an automated manner.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22723
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22723
    title Debian DSA-1181-1 : gzip - several vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200609-13.NASL
    description The remote host is affected by the vulnerability described in GLSA-200609-13 (gzip: Multiple vulnerabilities) Tavis Ormandy of the Google Security Team has reported multiple vulnerabilities in gzip. A stack buffer modification vulnerability was discovered in the LZH decompression code, where a pathological data stream may result in the modification of stack data such as frame pointer, return address or saved registers. A static buffer underflow was discovered in the pack decompression support, allowing a specially crafted pack archive to underflow a .bss buffer. A static buffer overflow was uncovered in the LZH decompression code, allowing a data stream consisting of pathological huffman codes to overflow a .bss buffer. Multiple infinite loops were also uncovered in the LZH decompression code. Impact : A remote attacker may create a specially crafted gzip archive, which when decompressed by a user or automated system exectues arbitrary code with the privileges of the user id invoking gzip. The infinite loops may be abused by an attacker to disrupt any automated systems invoking gzip to handle data decompression. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 22457
    published 2006-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22457
    title GLSA-200609-13 : gzip: Multiple vulnerabilities
oval via4
accepted 2013-04-29T04:02:09.660-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Buffer underflow in the build_tree function in unpack.c in gzip 1.3.5 allows context-dependent attackers to execute arbitrary code via a crafted leaf count table that causes a write to a negative index.
family unix
id oval:org.mitre.oval:def:10140
status accepted
submitted 2010-07-09T03:56:16-04:00
title Buffer underflow in the build_tree function in unpack.c in gzip 1.3.5 allows context-dependent attackers to execute arbitrary code via a crafted leaf count table that causes a write to a negative index.
version 23
redhat via4
advisories
rhsa
id RHSA-2006:0667
refmap via4
apple APPLE-SA-2006-11-28
bid 20101
bugtraq
  • 20060919 rPSA-2006-0170-1 gzip
  • 20070330 VMSA-2007-0002 VMware ESX security updates
cert TA06-333A
cert-vn VU#554780
confirm
debian DSA-1181
fedora FLSA:211760
freebsd FreeBSD-SA-06:21
gentoo
  • GLSA-200609-13
  • GLSA-200611-24
hp
  • HPSBTU02168
  • HPSBUX02195
  • SSRT061237
mandriva MDKSA-2006:167
misc http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204676
openpkg OpenPKG-SA-2006.020
sectrack 1016883
secunia
  • 21996
  • 22002
  • 22009
  • 22012
  • 22017
  • 22027
  • 22033
  • 22034
  • 22043
  • 22085
  • 22101
  • 22435
  • 22487
  • 22661
  • 23153
  • 23155
  • 23156
  • 23679
  • 24435
  • 24636
sgi 20061001-01-P
slackware SSA:2006-262
sunalert 102766
suse SUSE-SA:2006:056
trustix 2006-0052
ubuntu USN-349-1
vupen
  • ADV-2006-3695
  • ADV-2006-4275
  • ADV-2006-4750
  • ADV-2006-4760
  • ADV-2007-0092
  • ADV-2007-0832
  • ADV-2007-1171
xf gzip-unpack-buffer-underflow(29042)
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 07-03-2011 - 21:40
Published 19-09-2006 - 17:07
Last modified 17-10-2018 - 17:34
Back to Top