CVE-2010-0001

NameCVE-2010-0001
DescriptionInteger underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms, as used in ncompress and probably others, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1974-1, DSA-2074-1
Debian Bugs566002

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
busybox (PTS)jessie, jessie (lts)1:1.22.0-9+deb8u5fixed
stretch (security), stretch (lts), stretch1:1.22.0-19+deb9u2fixed
buster1:1.30.1-4fixed
bullseye1:1.30.1-6fixed
bookworm1:1.35.0-4fixed
sid, trixie1:1.37.0-4fixed
gzip (PTS)jessie, jessie (lts)1.6-4+deb8u1fixed
stretch (security), stretch (lts), stretch1.6-5+deb9u1fixed
buster (security), buster, buster (lts)1.9-3+deb10u1fixed
bullseye (security), bullseye1.10-4+deb11u1fixed
bookworm1.12-1fixed
sid, trixie1.12-1.2fixed
klibc (PTS)jessie2.0.4-2fixed
stretch (security), stretch (lts), stretch2.0.4-9+deb9u1fixed
buster2.0.6-1+deb10u1fixed
bullseye2.0.8-6.1fixed
bookworm2.0.12-1fixed
sid, trixie2.0.13-4fixed
ncompress (PTS)jessie4.2.4.4-9fixed
stretch4.2.4.4-16fixed
buster4.2.4.5-3fixed
bullseye4.2.4.6-4fixed
bookworm4.2.4.6-6fixed
sid, trixie5.0-2fixed
pristine-tar (PTS)jessie1.33fixed
stretch1.38fixed
buster1.46fixed
bullseye1.49fixed
bookworm1.50fixed
sid, trixie1.50+nmu2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
busyboxsource(unstable)(not affected)
gzipsourceetch1.3.5-15+etch1DSA-1974-1
gzipsourcelenny1.3.12-6+lenny1DSA-1974-1
gzipsource(unstable)1.3.12-9medium566002
klibcsource(unstable)(not affected)
linux-2.6source(unstable)(not affected)
ncompresssourcelenny4.2.4.2-1+lenny1DSA-2074-1
ncompresssource(unstable)4.2.4.3-1
pristine-tarsource(unstable)(not affected)

Notes

- linux-2.6 <not-affected> (does not include unlzw.c in its gzip code copy)
- klibc <not-affected> (does not include unlzw.c in its gzip code copy)
- busybox <not-affected> (does not include unlzw.c in its gzip code copy)
- pristine-tar <not-affected> (does not include unlzw.c in its gzip code copy)

Search for package or bug name: Reporting problems