CVE-2009-2624

Summary

CVE	CVE-2009-2624
State	PUBLISHED
Assigner	certcc
Source Priority	CVE Program / NVD first with legacy fallback
Published	2010-01-29 18:30:00 UTC
Updated	2026-04-29 01:13:23 UTC
Description	The huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka huffman) table that is too small, which allows remote attackers to cause a denial of service (application crash or infinite loop) or possibly execute arbitrary code via a crafted archive. NOTE: this issue is caused by a CVE-2006-4334 regression.

Risk And Classification

Primary CVSS: v2.0 6.8 from [email protected]

AV:N/AC:M/Au:N/C:P/I:P/A:P

Problem Types: CWE-20 | n/a

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Gnu	Gzip	1.2.4	All	All	All
Application	Gnu	Gzip	1.2.4a	All	All	All
Application	Gnu	Gzip	1.3	All	All	All
Application	Gnu	Gzip	1.3.1	All	All	All
Application	Gnu	Gzip	1.3.10	All	All	All
Application	Gnu	Gzip	1.3.11	All	All	All
Application	Gnu	Gzip	1.3.2	All	All	All
Application	Gnu	Gzip	1.3.3	All	All	All
Application	Gnu	Gzip	1.3.4	All	All	All
Application	Gnu	Gzip	1.3.5	All	All	All
Application	Gnu	Gzip	1.3.6	All	All	All
Application	Gnu	Gzip	1.3.7	All	All	All
Application	Gnu	Gzip	1.3.8	All	All	All
Application	Gnu	Gzip	1.3.9	All	All	All
Application	Gnu	Gzip	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Na	N/a	affected n/a	Not specified

References

Reference	Source	Link	Tags
Debian update for gzip - Advisories - Community	af854a3a-2127-422b-91ae-364da2661108	secunia.com	Vendor Advisory
Advisories \| Mandriva	af854a3a-2127-422b-91ae-364da2661108	www.mandriva.com
About the security content of Mac OS X v10.6.5 and Security Update 2010-007	af854a3a-2127-422b-91ae-364da2661108	support.apple.com
APPLE-SA-2010-11-10-1 Mac OS X v10.6.5 and Security Update 2010-007	af854a3a-2127-422b-91ae-364da2661108	lists.apple.com
GNU gzip "huft_build()" Input Sanitation Vulnerability - Advisories - Community	af854a3a-2127-422b-91ae-364da2661108	secunia.com	Vendor Advisory
Debian -- Security Information -- DSA-1974-1 gzip	af854a3a-2127-422b-91ae-364da2661108	www.debian.org
Ubuntu update for gzip - Advisories - Community	af854a3a-2127-422b-91ae-364da2661108	secunia.com	Vendor Advisory
Bug 514711 – CVE-2009-2624 gzip: Missing input sanitation by decompressing dynamic Huffman code blocks	af854a3a-2127-422b-91ae-364da2661108	bugzilla.redhat.com
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	af854a3a-2127-422b-91ae-364da2661108	www.vupen.com
[security-announce] SUSE Security Announcement: acoread (SUSE-SA:2010:00	af854a3a-2127-422b-91ae-364da2661108	lists.opensuse.org
gzip.git - Unnamed repository; edit this file 'description' to name the repository.	af854a3a-2127-422b-91ae-364da2661108	git.savannah.gnu.org
USN-889-1: gzip vulnerabilities \| Ubuntu	af854a3a-2127-422b-91ae-364da2661108	www.ubuntu.com
#507263 - gzip: segfaults on deflate of malformed input file - Debian Bug report logs	af854a3a-2127-422b-91ae-364da2661108	bugs.debian.org
Gmane -- gzip 1.3.13 released major	af854a3a-2127-422b-91ae-364da2661108	article.gmane.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Organization	Published	Contributor	Statement
Red Hat	2010-02-02	Tomas Hoger	Not vulnerable. This issue did not affect the versions of gzip as shipped with Red Hat Enterprise Linux 3, 4, or 5.

There are currently no legacy QID mappings associated with this CVE.