CVE-2009-2624

CWE-20 — Improper Input Validation8 documents8 sources

Severity

6.8MEDIUM

EPSS

7.3%

top 8.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Gzip

Timeline

PublishedJan 29

Latest updateMay 2

Description

The huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka huffman) table that is too small, which allows remote attackers to cause a denial of service (application crash or infinite loop) or possibly execute arbitrary code via a crafted archive. NOTE: this issue is caused by a CVE-2006-4334 regression.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶Debiangzip< 1.3.12-8+3

▶NVDgnu/gzip1.3.12+14

🔴Vulnerability Details

GHSA

GHSA-fx63-8q93-pfr5: The huft_build function in inflate↗2022-05-02

▶

CVEList

CVE-2009-2624: The huft_build function in inflate↗2010-01-29

▶

OSV

CVE-2009-2624: The huft_build function in inflate↗2010-01-29

▶

📋Vendor Advisories

Ubuntu

gzip vulnerabilities↗2010-01-20

▶

Red Hat

gzip: Missing input sanitation by decompressing dynamic Huffman code blocks↗2010-01-20

▶

Debian

CVE-2009-2624: gzip - The huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka ...↗2009

▶

💬Community

Bugzilla

CVE-2009-2624 gzip: Missing input sanitation by decompressing dynamic Huffman code blocks↗2009-07-30

▶