CVE-2009-1391

Publication date 16 June 2009

Last updated 24 July 2024

Ubuntu priority

Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
libcompress-raw-zlib-perl	9.04 jaunty	Fixed 2.015-1ubuntu0.1
	8.10 intrepid	Fixed 2.011-2ubuntu0.1
	8.04 LTS hardy	Fixed 2.008-1ubuntu0.1
	6.06 LTS dapper	Not in release
perl	9.04 jaunty	Fixed 5.10.0-19ubuntu1.1
	8.10 intrepid	Fixed 5.10.0-11.1ubuntu2.3
	8.04 LTS hardy	Not affected
	6.06 LTS dapper	Not affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libcompress-raw-zlib-perl	Distro: http://patch-tracking.debian.net/patch/series/view/libcompress-raw-zlib-perl/2.015-2/CVE-2009-1391
perl	Distro: http://patch-tracking.debian.net/patch/misc/view/perl/5.10.0-23/ext/Compress/Raw/Zlib/Zlib.xs

CVE-2009-1391

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references