What is the severity of CVE-2009-2624?

CVE-2009-2624 is categorized as a denial of service vulnerability due to a missing input sanitation flaw in gzip.

How do I fix CVE-2009-2624?

To fix CVE-2009-2624, upgrade to the latest version of gzip that addresses the vulnerability.

Which versions of gzip are affected by CVE-2009-2624?

Versions 1.3.1 to 1.3.12 of GNU gzip are affected by CVE-2009-2624.

What are the risks of not addressing CVE-2009-2624?

Not addressing CVE-2009-2624 may leave systems vulnerable to denial of service attacks leading to crashes.

How can I check if my system is vulnerable to CVE-2009-2624?

You can check if your system is vulnerable to CVE-2009-2624 by verifying the version of gzip installed on your system.

Vulnerability/
CVE-2009-2624

medium

6.8

CWE

30/7/2009

29/1/2010

7/8/2024

CVE-2009-2624: Input Validation

First published: Thu Jul 30 2009(Updated: )

A missing input sanitation flaw was found in the way gzip used to decompress data blocks for dynamic Huffman codes. A remote attacker could provide a specially-crafted gzip compressed data archive, which once opened by a local, unsuspecting user would lead to denial of service (gzip crash) or, potentially, to arbitrary code execution with the privileges of the user running gzip. Upstream patch: --------------- <a href="http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=39a362ae9d9b007473381dba5032f4dfc1744cf2">http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=39a362ae9d9b007473381dba5032f4dfc1744cf2</a> CVE Note: --------- This flaw reportedly exists due to re-introduction of <a href="https://access.redhat.com/security/cve/CVE-2006-4334">CVE-2006-4334</a> issue: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334</a> in upstream gzip version (originally fixed in gzip-v1.3.6, reintroduced later in gzip-v1.3.10 and fixed again with above commit -- in gzip-v.1.3.13). Credit: ------- Oulu University Secure Programming Group (OUSPG)

Credit: cret@cert.org

Affected Software	Affected Version	How to fix
gzip	=1.3.1
gzip	=1.3.8
gzip	<=1.3.12
gzip	=1.3
gzip	=1.3.3
gzip	=1.3.11
gzip	=1.3.6
gzip	=1.3.2
gzip	=1.2.4
gzip	=1.3.10
gzip	=1.3.5
gzip	=1.3.7
gzip	=1.2.4a
gzip	=1.3.9
gzip	=1.3.4

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2009-2624?
CVE-2009-2624 is categorized as a denial of service vulnerability due to a missing input sanitation flaw in gzip.
How do I fix CVE-2009-2624?
To fix CVE-2009-2624, upgrade to the latest version of gzip that addresses the vulnerability.
Which versions of gzip are affected by CVE-2009-2624?
Versions 1.3.1 to 1.3.12 of GNU gzip are affected by CVE-2009-2624.
What are the risks of not addressing CVE-2009-2624?
Not addressing CVE-2009-2624 may leave systems vulnerable to denial of service attacks leading to crashes.
How can I check if my system is vulnerable to CVE-2009-2624?
You can check if your system is vulnerable to CVE-2009-2624 by verifying the version of gzip installed on your system.

agent/references
agent/type
agent/first-publish-date
collector/mitre-cve
source/MITRE
agent/author
agent/weakness
agent/last-modified-date
agent/severity
agent/description
agent/event
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2009-2624
agent/trending
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-historical
vendor/gnu
canonical/gnu gzip
version/gnu gzip/1.3.12
version/gnu gzip/1.2.4
version/gnu gzip/1.2.4a
version/gnu gzip/1.3
version/gnu gzip/1.3.1
version/gnu gzip/1.3.2
version/gnu gzip/1.3.3
version/gnu gzip/1.3.4
version/gnu gzip/1.3.5
version/gnu gzip/1.3.6
version/gnu gzip/1.3.7
version/gnu gzip/1.3.8
version/gnu gzip/1.3.9
version/gnu gzip/1.3.10
version/gnu gzip/1.3.11