CVE-2008-1372

bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:N/A:P

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-004.txt.asc
http://kb.vmware.com/kb/1006982
http://kb.vmware.com/kb/1007198
http://kb.vmware.com/kb/1007504
http://lists.apple.com/archives/security-announce/2009/Aug/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html
http://secunia.com/advisories/29410
http://secunia.com/advisories/29475
http://secunia.com/advisories/29497
http://secunia.com/advisories/29506
http://secunia.com/advisories/29656
http://secunia.com/advisories/29677
http://secunia.com/advisories/29698
http://secunia.com/advisories/29940
http://secunia.com/advisories/31204
http://secunia.com/advisories/31869
http://secunia.com/advisories/31878
http://secunia.com/advisories/36096
http://security.gentoo.org/glsa/glsa-200903-40.xml
http://sunsolve.sun.com/search/document.do?assetkey=1-26-241786-1
http://support.apple.com/kb/HT3757
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0118
http://www.bzip.org/CHANGES
http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/
http://www.gentoo.org/security/en/glsa/glsa-200804-02.xml
http://www.ipcop.org/index.php?name=News&file=article&sid=40
http://www.kb.cert.org/vuls/id/813451	US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2008:075
http://www.redhat.com/support/errata/RHSA-2008-0893.html
http://www.securityfocus.com/archive/1/489968/100/0/threaded
http://www.securityfocus.com/archive/1/498863/100/0/threaded
http://www.securityfocus.com/bid/28286	Exploit
http://www.securitytracker.com/id?1020867
http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.473263
http://www.us-cert.gov/cas/techalerts/TA09-218A.html	US Government Resource
http://www.vupen.com/english/advisories/2008/0915
http://www.vupen.com/english/advisories/2008/2557
http://www.vupen.com/english/advisories/2009/2172
https://bugs.gentoo.org/attachment.cgi?id=146488&action=view
https://exchange.xforce.ibmcloud.com/vulnerabilities/41249
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10067
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6467
https://usn.ubuntu.com/590-1/
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00165.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00225.html
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-004.txt.asc
http://kb.vmware.com/kb/1006982
http://kb.vmware.com/kb/1007198
http://kb.vmware.com/kb/1007504
http://lists.apple.com/archives/security-announce/2009/Aug/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html
http://secunia.com/advisories/29410
http://secunia.com/advisories/29475
http://secunia.com/advisories/29497
http://secunia.com/advisories/29506
http://secunia.com/advisories/29656
http://secunia.com/advisories/29677
http://secunia.com/advisories/29698
http://secunia.com/advisories/29940
http://secunia.com/advisories/31204
http://secunia.com/advisories/31869
http://secunia.com/advisories/31878
http://secunia.com/advisories/36096
http://security.gentoo.org/glsa/glsa-200903-40.xml
http://sunsolve.sun.com/search/document.do?assetkey=1-26-241786-1
http://support.apple.com/kb/HT3757
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0118
http://www.bzip.org/CHANGES
http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/
http://www.gentoo.org/security/en/glsa/glsa-200804-02.xml
http://www.ipcop.org/index.php?name=News&file=article&sid=40
http://www.kb.cert.org/vuls/id/813451	US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2008:075
http://www.redhat.com/support/errata/RHSA-2008-0893.html
http://www.securityfocus.com/archive/1/489968/100/0/threaded
http://www.securityfocus.com/archive/1/498863/100/0/threaded
http://www.securityfocus.com/bid/28286	Exploit
http://www.securitytracker.com/id?1020867
http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.473263
http://www.us-cert.gov/cas/techalerts/TA09-218A.html	US Government Resource
http://www.vupen.com/english/advisories/2008/0915
http://www.vupen.com/english/advisories/2008/2557
http://www.vupen.com/english/advisories/2009/2172
https://bugs.gentoo.org/attachment.cgi?id=146488&action=view
https://exchange.xforce.ibmcloud.com/vulnerabilities/41249
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10067
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6467
https://usn.ubuntu.com/590-1/
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00165.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00225.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:bzip:bzip2:0.9:::::::*
	cpe:2.3:a:bzip:bzip2:0.9.5a:::::::*
	cpe:2.3:a:bzip:bzip2:0.9.5b:::::::*
	cpe:2.3:a:bzip:bzip2:0.9.5c:::::::*
	cpe:2.3:a:bzip:bzip2:0.9.5d:::::::*
	cpe:2.3:a:bzip:bzip2:0.9_a:::::::*
	cpe:2.3:a:bzip:bzip2:0.9_b:::::::*
	cpe:2.3:a:bzip:bzip2:0.9_c:::::::*
	cpe:2.3:a:bzip:bzip2:1.0:::::::*
	cpe:2.3:a:bzip:bzip2:1.0.1:::::::*
	cpe:2.3:a:bzip:bzip2:1.0.2:::::::*
	cpe:2.3:a:bzip:bzip2:1.0.3:::::::*

History

21 Nov 2024, 00:44

Information

Published : 2008-03-18 21:44

Updated : 2025-04-09 00:30

NVD link : CVE-2008-1372

Mitre link : CVE-2008-1372

CVE.ORG link : CVE-2008-1372

JSON object : View

Products Affected

bzip

bzip2

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

{"id": "CVE-2008-1372", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2008-03-18T21:44:00.000", "references": [{"url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-004.txt.asc", "source": "cve@mitre.org"}, {"url": "http://kb.vmware.com/kb/1006982", "source": "cve@mitre.org"}, {"url": "http://kb.vmware.com/kb/1007198", "source": "cve@mitre.org"}, {"url": "http://kb.vmware.com/kb/1007504", "source": "cve@mitre.org"}, {"url": "http://lists.apple.com/archives/security-announce/2009/Aug/msg00001.html", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29410", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29475", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29497", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29506", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29656", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29677", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29698", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29940", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/31204", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/31869", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/31878", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/36096", "source": "cve@mitre.org"}, {"url": "http://security.gentoo.org/glsa/glsa-200903-40.xml", "source": "cve@mitre.org"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-241786-1", "source": "cve@mitre.org"}, {"url": "http://support.apple.com/kb/HT3757", "source": "cve@mitre.org"}, {"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0118", "source": "cve@mitre.org"}, {"url": "http://www.bzip.org/CHANGES", "source": "cve@mitre.org"}, {"url": "http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html", "source": "cve@mitre.org"}, {"url": "http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/", "source": "cve@mitre.org"}, {"url": "http://www.gentoo.org/security/en/glsa/glsa-200804-02.xml", "source": "cve@mitre.org"}, {"url": "http://www.ipcop.org/index.php?name=News&file=article&sid=40", "source": "cve@mitre.org"}, {"url": "http://www.kb.cert.org/vuls/id/813451", "tags": ["US Government Resource"], "source": "cve@mitre.org"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:075", "source": "cve@mitre.org"}, {"url": "http://www.redhat.com/support/errata/RHSA-2008-0893.html", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/489968/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/498863/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/28286", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.securitytracker.com/id?1020867", "source": "cve@mitre.org"}, {"url": "http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.473263", "source": "cve@mitre.org"}, {"url": "http://www.us-cert.gov/cas/techalerts/TA09-218A.html", "tags": ["US Government Resource"], "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2008/0915", "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2008/2557", "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2009/2172", "source": "cve@mitre.org"}, {"url": "https://bugs.gentoo.org/attachment.cgi?id=146488&action=view", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41249", "source": "cve@mitre.org"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10067", "source": "cve@mitre.org"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6467", "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/590-1/", "source": "cve@mitre.org"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00165.html", "source": "cve@mitre.org"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00225.html", "source": "cve@mitre.org"}, {"url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-004.txt.asc", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://kb.vmware.com/kb/1006982", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://kb.vmware.com/kb/1007198", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://kb.vmware.com/kb/1007504", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.apple.com/archives/security-announce/2009/Aug/msg00001.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29410", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29475", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29497", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29506", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29656", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29677", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29698", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29940", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/31204", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/31869", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/31878", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/36096", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://security.gentoo.org/glsa/glsa-200903-40.xml", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-241786-1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://support.apple.com/kb/HT3757", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0118", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.bzip.org/CHANGES", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.gentoo.org/security/en/glsa/glsa-200804-02.xml", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.ipcop.org/index.php?name=News&file=article&sid=40", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.kb.cert.org/vuls/id/813451", "tags": ["US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:075", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.redhat.com/support/errata/RHSA-2008-0893.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/archive/1/489968/100/0/threaded", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/archive/1/498863/100/0/threaded", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/28286", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securitytracker.com/id?1020867", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.473263", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.us-cert.gov/cas/techalerts/TA09-218A.html", "tags": ["US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.vupen.com/english/advisories/2008/0915", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.vupen.com/english/advisories/2008/2557", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.vupen.com/english/advisories/2009/2172", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugs.gentoo.org/attachment.cgi?id=146488&action=view", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41249", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10067", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6467", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://usn.ubuntu.com/590-1/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00165.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00225.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats."}, {"lang": "es", "value": "El archivo bzlib.c en bzip2 versiones anteriores a 1.0.5, permite a los atacantes remotos asistidos por el usuario causar una denegaci\u00f3n de servicio (bloqueo) por medio de un archivo dise\u00f1ado que activa una lectura excesiva del b\u00fafer, como es demostrado por el conjunto de pruebas PROTOS GENOME para Formatos de Archivo."}], "lastModified": "2025-04-09T00:30:58.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bzip:bzip2:0.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3852E705-516A-4A5E-8095-93DCF8DB15DB"}, {"criteria": "cpe:2.3:a:bzip:bzip2:0.9.5a:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8AD6CE9-FCE5-4926-A1D1-0706DFE4A6D4"}, {"criteria": "cpe:2.3:a:bzip:bzip2:0.9.5b:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D54DD36D-7A6C-4649-855A-D81F29FFB6C9"}, {"criteria": "cpe:2.3:a:bzip:bzip2:0.9.5c:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B87D623-6CF8-4BDB-A9FB-CF07589AF1CB"}, {"criteria": "cpe:2.3:a:bzip:bzip2:0.9.5d:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FE3BFE7-75B6-4284-9EDC-78D452CD9174"}, {"criteria": "cpe:2.3:a:bzip:bzip2:0.9_a:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3992967-645A-45E1-979E-6866B50AA642"}, {"criteria": "cpe:2.3:a:bzip:bzip2:0.9_b:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "980AE5B2-11A7-4672-B221-DF660F20667F"}, {"criteria": "cpe:2.3:a:bzip:bzip2:0.9_c:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DC33019-390A-428F-B119-139CA5949AE4"}, {"criteria": "cpe:2.3:a:bzip:bzip2:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B10B3BF9-BE42-468D-89E8-8D4A5FEDC734"}, {"criteria": "cpe:2.3:a:bzip:bzip2:1.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E55F00B1-D48B-40A6-872F-959598D7E6E4"}, {"criteria": "cpe:2.3:a:bzip:bzip2:1.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB5DBC5B-C1C4-487E-B40D-8925FDA13D1E"}, {"criteria": "cpe:2.3:a:bzip:bzip2:1.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C02B0664-E473-4131-8228-96BB5FBC4F7F"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Red Hat has re-evaluated the potential impact of this flaw and has released an update which corrects this behavior:\nhttp://rhn.redhat.com/errata/RHSA-2008-0893.html", "lastModified": "2008-10-17T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "cve@mitre.org"}

4.3 /10