CVE-2009-1391
published 2009-06-16CVE-2009-1391: Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other…
PriorityP268medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.08%
93.4th percentile
Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bzip | compress-raw-bzip2 | <= 2.017 | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| bzip | compress-raw-bzip2 | — | — |
| debian | libcompress-raw-bzip2-perl | < libcompress-raw-bzip2-perl 2.018-1 (bookworm) | libcompress-raw-bzip2-perl 2.018-1 (bookworm) |
| debian | libcompress-raw-zlib-perl | < libcompress-raw-zlib-perl 2.015-2 (bookworm) | libcompress-raw-zlib-perl 2.015-2 (bookworm) |
| debian | perl | < libcompress-raw-zlib-perl 2.015-2 (bookworm) | libcompress-raw-zlib-perl 2.015-2 (bookworm) |
| paul_marquess | compress-raw-zlib_perl_module | <= 2.015 | — |
| paul_marquess | compress-raw-zlib_perl_module | — | — |
| paul_marquess | compress-raw-zlib_perl_module | — | — |
| paul_marquess | compress-raw-zlib_perl_module | — | — |
| paul_marquess | compress-raw-zlib_perl_module | — | — |
| paul_marquess | compress-raw-zlib_perl_module | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by a crafted zlib compressed stream delivered via email (e.g. inside a ZIP attachment) that causes a heap-based buffer overflow in the inflate() function of Compress::Raw::Zlib before 2.017. Monitor mail-scanning processes (amavisd-new, SpamAssassin) for hangs or crashes when processing ZIP/zlib-compressed attachments. ↗
- →Archive::Zip (used by amavisd-new) uses a default ChunkSize of 32768, making it particularly susceptible; the process hangs when processing the malicious ZIP file. ↗
- →The root cause is that Compress::Raw::Zlib's inflate NUL-terminates the output buffer (*SvEND(output) = '\0') even when there is no space remaining, causing a heap off-by-one. The fix adds '+1' to buffer allocation in Sv_Grow calls. ↗
- ·Only Compress::Raw::Zlib versions before 2.017 are vulnerable. Upgrading to 2.017 or later (or the patched perl packages) resolves the issue. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vulncheck6.8MEDIUM
vendor_redhat7.5HIGH
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-353f-jcfv-fpmh: Off-by-one error in the inflate function in Zlib
ghsa_unreviewed·2022-05-02
CVE-2009-1391 [MEDIUM] GHSA-353f-jcfv-fpmh: Off-by-one error in the inflate function in Zlib
Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.
GHSA
GHSA-4x36-p66f-4f99: Off-by-one error in the bzinflate function in Bzip2
ghsa_unreviewed·2022-05-02·CVSS 6.8
CVE-2009-1884 [MEDIUM] GHSA-4x36-p66f-4f99: Off-by-one error in the bzinflate function in Bzip2
Off-by-one error in the bzinflate function in Bzip2.xs in the Compress-Raw-Bzip2 module before 2.018 for Perl allows context-dependent attackers to cause a denial of service (application hang or crash) via a crafted bzip2 compressed stream that triggers a buffer overflow, a related issue to CVE-2009-1391.
OSV
CVE-2009-1884: Off-by-one error in the bzinflate function in Bzip2
osv·2009-08-19·CVSS 6.8
CVE-2009-1884 [MEDIUM] CVE-2009-1884: Off-by-one error in the bzinflate function in Bzip2
Off-by-one error in the bzinflate function in Bzip2.xs in the Compress-Raw-Bzip2 module before 2.018 for Perl allows context-dependent attackers to cause a denial of service (application hang or crash) via a crafted bzip2 compressed stream that triggers a buffer overflow, a related issue to CVE-2009-1391.
OSV
CVE-2009-1391: Off-by-one error in the inflate function in Zlib
osv·2009-06-16·CVSS 6.8
CVE-2009-1391 [MEDIUM] CVE-2009-1391: Off-by-one error in the inflate function in Zlib
Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.
VulnCheck
AMaViS, SpamAssassin Compress::Raw::Zlib Perl Module Denial of Service
vulncheck·2009·CVSS 6.8
CVE-2009-1391 [MEDIUM] AMaViS, SpamAssassin Compress::Raw::Zlib Perl Module Denial of Service
AMaViS, SpamAssassin Compress::Raw::Zlib Perl Module Denial of Service
Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.
Affected: paul_marquess compress-raw-zlib_perl_module
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2009-1391; https://www.cve.org/CVERecord?id=CVE-2009-1391
Red Hat
(32-bit): Multiple integer overflows in the printf implementation
vendor_redhat·2009-09-03·CVSS 7.5
CVE-2009-4880 [HIGH] CWE-190 (32-bit): Multiple integer overflows in the printf implementation
(32-bit): Multiple integer overflows in the printf implementation
Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391.
Statement: Red Hat does not consider this bug to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions.
Red Hat
perl-Compress-Raw-Bzip2: Off-by-one error in the bzinflate function - DoS (crash)
vendor_redhat·2009-08-18·CVSS 6.8
CVE-2009-1884 [MEDIUM] CWE-193 perl-Compress-Raw-Bzip2: Off-by-one error in the bzinflate function - DoS (crash)
perl-Compress-Raw-Bzip2: Off-by-one error in the bzinflate function - DoS (crash)
Off-by-one error in the bzinflate function in Bzip2.xs in the Compress-Raw-Bzip2 module before 2.018 for Perl allows context-dependent attackers to cause a denial of service (application hang or crash) via a crafted bzip2 compressed stream that triggers a buffer overflow, a related issue to CVE-2009-1391.
Ubuntu
Perl vulnerability
vendor_ubuntu·2009-07-02
CVE-2009-1391 Perl vulnerability
Title: Perl vulnerability
Summary: Perl vulnerability
It was discovered that the Compress::Raw::Zlib Perl module incorrectly
handled certain zlib compressed streams. If a user or automated system were
tricked into processing a specially crafted compressed stream or file, a
remote attacker could crash the application, leading to a denial of
service.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Debian
CVE-2009-1391: libcompress-raw-zlib-perl - Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl ...
vendor_debian·2009·CVSS 6.8
CVE-2009-1391 [MEDIUM] CVE-2009-1391: libcompress-raw-zlib-perl - Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl ...
Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.
Scope: local
bookworm: resolved (fixed in 2.015-2)
bullseye: resolved (fixed in 2.015-2)
forky: resolved (fixed in 2.015-2)
sid: resolved (fixed in 2.015-2)
trixie: resolved (fixed in 2.015-2)
Debian
CVE-2009-1884: libcompress-raw-bzip2-perl - Off-by-one error in the bzinflate function in Bzip2.xs in the Compress-Raw-Bzip2...
vendor_debian·2009·CVSS 6.8
CVE-2009-1884 [MEDIUM] CVE-2009-1884: libcompress-raw-bzip2-perl - Off-by-one error in the bzinflate function in Bzip2.xs in the Compress-Raw-Bzip2...
Off-by-one error in the bzinflate function in Bzip2.xs in the Compress-Raw-Bzip2 module before 2.018 for Perl allows context-dependent attackers to cause a denial of service (application hang or crash) via a crafted bzip2 compressed stream that triggers a buffer overflow, a related issue to CVE-2009-1391.
Scope: local
bookworm: resolved (fixed in 2.018-1)
bullseye: resolved (fixed in 2.018-1)
forky: resolved (fixed in 2.018-1)
sid: resolved (fixed in 2.018-1)
trixie: resolved (fixed in 2.018-1)
Red Hat
(32-bit): Integer overflow in the __vstrfmon_l function
vendor_redhat·2008-03-25·CVSS 7.5
CVE-2009-4881 [HIGH] CWE-190 (32-bit): Integer overflow in the __vstrfmon_l function
(32-bit): Integer overflow in the __vstrfmon_l function
Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391.
Statement: Red Hat does not consider this bug to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions.
No detection rules found.
Bugzilla
CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function
bugzilla·2010-06-02·CVSS 7.5
CVE-2009-4881 [HIGH] CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function
CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4881 to
the following vulnerability:
Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in
the strfmon implementation in the GNU C Library (aka glibc or libc6)
before 2.10.1 allows context-dependent attackers to cause a denial of
service (application crash) via a crafted format string, as
demonstrated by the %99999999999999999999n string, a related issue to
CVE-2008-1391.
References:
[1] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
[2] http://sourceware.org/git/?p=glibc.git;a=commit;h=153aa31b93be22e01b236375fb02a9f9b9a0195f
[3] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
[4] http://securityreason.com/a
Bugzilla
CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implementation
bugzilla·2010-06-02·CVSS 7.5
CVE-2009-4880 [HIGH] CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implementation
CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implementation
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4880 to
the following vulnerability:
Multiple integer overflows in the strfmon implementation in the GNU C
Library (aka glibc or libc6) 2.10.1 and earlier allow
context-dependent attackers to cause a denial of service (memory
consumption or application crash) via a crafted format string, as
demonstrated by a crafted first argument to the money_format function
in PHP, a related issue to CVE-2008-1391.
References:
[1] http://securityreason.com/achievement_securityalert/67
[2] https://bugzilla.redhat.com/show_bug.cgi?id=524671
[3] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
[4] http://sourceware.org/git/?p=glibc.git;a=commit
Bugzilla
CVE-2009-3637 alienarena: Buffer overflow by processing specially-crafted UDP reply from game server (ACE)
bugzilla·2009-10-23·CVSS 10.0
CVE-2009-3637 [CRITICAL] CVE-2009-3637 alienarena: Buffer overflow by processing specially-crafted UDP reply from game server (ACE)
CVE-2009-3637 alienarena: Buffer overflow by processing specially-crafted UDP reply from game server (ACE)
Buffer overflow flaw was found in the way used to validate remote game servers
to be added into the server list. A remote attacker sending a specially-crafted
UDP reply from game server could execute arbitrary code on the side
and with the privileges of alienarena game client.
References:
http://www.ngssoftware.com/brochures/Anonymous.Remote.Arbitrary.Code.Execution.in.Alien.Arena.pdf (More descriptive issue details)
http://icculus.org/alienarena/changelogs/7.31.txt
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552038
Upstream patch:
http://svn.icculus.org/alienarena/trunk/source/client/menu.c?r1=1383&r2=1391
(Merge o both revisions: 1390 and 1391, you might want to have a look
Bugzilla
CVE-2009-1884 perl-Compress-Raw-Bzip2: Off-by-one error in the bzinflate function - DoS (crash)
bugzilla·2009-08-19·CVSS 6.8
CVE-2009-1884 [MEDIUM] CVE-2009-1884 perl-Compress-Raw-Bzip2: Off-by-one error in the bzinflate function - DoS (crash)
CVE-2009-1884 perl-Compress-Raw-Bzip2: Off-by-one error in the bzinflate function - DoS (crash)
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1884 to
the following vulnerability:
Off-by-one error in the bzinflate function in Bzip2.xs in the
Compress-Raw-Bzip2 module before 2.018 for Perl allows
context-dependent attackers to cause a denial of service (application
hang or crash) via a crafted bzip2 compressed stream that triggers a
buffer overflow, a related issue to CVE-2009-1391.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1884
https://bugs.gentoo.org/show_bug.cgi?id=281955
https://bugs.gentoo.org/show_bug.cgi?id=281955
Discussion:
This issue affects the versions of perl-Compress-Raw-Bzip2 package,
as shipped with Fedora releases of 10 an
Bugzilla
CVE-2009-1391 Buffer overflow in Compress::Raw::Zlib
bugzilla·2009-06-05·CVSS 6.8
CVE-2009-1391 [MEDIUM] CVE-2009-1391 Buffer overflow in Compress::Raw::Zlib
CVE-2009-1391 Buffer overflow in Compress::Raw::Zlib
Created attachment 346729
Test case that triggers the buffer overflow
Description of problem:
Compress::Raw::Zlib versions before 2.017 contain a buffer overflow in inflate().
A badly formed zlib-stream can trigger this buffer overflow and cause the perl process at least to hang or to crash.
There is an e-mail virus in circulation that contains a zip file that causes such a memory corruption when being uncompressed using perl-applications that depend on Compress::Raw::Zlib. (E.g. spamassassin and amavisd-new.)
(See http://thread.gmane.org/gmane.mail.virus.amavis.user/33635.)
Version-Release number of selected component (if applicable):
perl-5.10.0-68.fc10.i386 for Fedora 10
perl-5.8.8-18.el5_3.1 for RHEL5
How reproducible:
Use th
http://article.gmane.org/gmane.mail.virus.amavis.user/33635http://article.gmane.org/gmane.mail.virus.amavis.user/33638http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.htmlhttp://osvdb.org/55041http://secunia.com/advisories/35422http://secunia.com/advisories/35685http://secunia.com/advisories/35689http://secunia.com/advisories/35876http://security.gentoo.org/glsa/glsa-200908-07.xmlhttp://thread.gmane.org/gmane.mail.virus.amavis.user/33635http://www.mandriva.com/security/advisories?name=MDVSA-2009:157http://www.securityfocus.com/bid/35307http://www.vupen.com/english/advisories/2009/1571https://bugs.gentoo.org/show_bug.cgi?id=273141https://bugzilla.redhat.com/show_bug.cgi?id=504386https://exchange.xforce.ibmcloud.com/vulnerabilities/51062https://usn.ubuntu.com/794-1/https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00607.htmlhttp://article.gmane.org/gmane.mail.virus.amavis.user/33635http://article.gmane.org/gmane.mail.virus.amavis.user/33638http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.htmlhttp://osvdb.org/55041http://secunia.com/advisories/35422http://secunia.com/advisories/35685http://secunia.com/advisories/35689http://secunia.com/advisories/35876http://security.gentoo.org/glsa/glsa-200908-07.xmlhttp://thread.gmane.org/gmane.mail.virus.amavis.user/33635http://www.mandriva.com/security/advisories?name=MDVSA-2009:157http://www.securityfocus.com/bid/35307http://www.vupen.com/english/advisories/2009/1571https://bugs.gentoo.org/show_bug.cgi?id=273141https://bugzilla.redhat.com/show_bug.cgi?id=504386https://exchange.xforce.ibmcloud.com/vulnerabilities/51062https://usn.ubuntu.com/794-1/https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00607.html
2009-06-16
Published
Exploited in the wild