Synopsis :

The remote Debian host is missing a security-related update.

Description :

Tavis Ormandy from the Google Security Team discovered several
vulnerabilities in gzip, the GNU compression utility. The Common
Vulnerabilities and Exposures project identifies the following
problems :

- CVE-2006-4334
A null pointer dereference may lead to denial of service
if gzip is used in an automated manner.

- CVE-2006-4335
Missing boundary checks may lead to stack modification,
allowing execution of arbitrary code.

- CVE-2006-4336
A buffer underflow in the pack support code may lead to
execution of arbitrary code.

- CVE-2006-4337
A buffer underflow in the LZH support code may lead to
execution of arbitrary code.

- CVE-2006-4338
An infinite loop may lead to denial of service if gzip
is used in an automated manner.

See also :

http://security-tracker.debian.org/tracker/CVE-2006-4334
http://security-tracker.debian.org/tracker/CVE-2006-4335
http://security-tracker.debian.org/tracker/CVE-2006-4336
http://security-tracker.debian.org/tracker/CVE-2006-4337
http://security-tracker.debian.org/tracker/CVE-2006-4338
http://www.debian.org/security/2006/dsa-1181

Solution :

Upgrade the gzip package.

For the stable distribution (sarge) these problems have been fixed in
version 1.3.5-10sarge2.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)