cbcvebase.
CVE-2009-1391
published 2009-06-16

CVE-2009-1391: Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other…

PriorityP268medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.08%
93.4th percentile
Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
bzipcompress-raw-bzip2<= 2.017
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
bzipcompress-raw-bzip2
debianlibcompress-raw-bzip2-perl< libcompress-raw-bzip2-perl 2.018-1 (bookworm)libcompress-raw-bzip2-perl 2.018-1 (bookworm)
debianlibcompress-raw-zlib-perl< libcompress-raw-zlib-perl 2.015-2 (bookworm)libcompress-raw-zlib-perl 2.015-2 (bookworm)
debianperl< libcompress-raw-zlib-perl 2.015-2 (bookworm)libcompress-raw-zlib-perl 2.015-2 (bookworm)
paul_marquesscompress-raw-zlib_perl_module<= 2.015
paul_marquesscompress-raw-zlib_perl_module
paul_marquesscompress-raw-zlib_perl_module
paul_marquesscompress-raw-zlib_perl_module
paul_marquesscompress-raw-zlib_perl_module
paul_marquesscompress-raw-zlib_perl_module

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33032.tar.gz
pathCompress/Raw/Zlib/Zlib.so
  • The vulnerability is triggered by a crafted zlib compressed stream delivered via email (e.g. inside a ZIP attachment) that causes a heap-based buffer overflow in the inflate() function of Compress::Raw::Zlib before 2.017. Monitor mail-scanning processes (amavisd-new, SpamAssassin) for hangs or crashes when processing ZIP/zlib-compressed attachments.
  • Archive::Zip (used by amavisd-new) uses a default ChunkSize of 32768, making it particularly susceptible; the process hangs when processing the malicious ZIP file.
  • The root cause is that Compress::Raw::Zlib's inflate NUL-terminates the output buffer (*SvEND(output) = '\0') even when there is no space remaining, causing a heap off-by-one. The fix adds '+1' to buffer allocation in Sv_Grow calls.
  • ·Only Compress::Raw::Zlib versions before 2.017 are vulnerable. Upgrading to 2.017 or later (or the patched perl packages) resolves the issue.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vulncheck6.8MEDIUM
vendor_redhat7.5HIGH
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.