CVE-2008-1372

Exp

bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.

Published: 2008-03-18 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2008-1372 is rated High Exploit Risk (63.1/100): CVSS Medium severity, with high exploitation likelihood (EPSS 7.74%, 92th percentile). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2008-1372

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2008-1372

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-17 8.87% 7.74% -1.13%
2 2025-10-07 7.48% 8.87% +1.39%
3 2025-05-07 7.48%

Full EPSS history (14 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-1372

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.3 2.0 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.6 2.9 [email protected]

Weakness enumeration for CVE-2008-1372

OS Trackers for CVE-2008-1372

vendor priority summary link
debian low CVE-2008-1372 low priority: Debian including 1 source packages (bzip2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2008-1372
gentoo normal CVE-2008-1372: 2 GLSA(s) (200804-02, 200903-40), 2 atom(s) (app-admin/analog, app-arch/bzip2); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2008-1372
redhat medium https://access.redhat.com/security/cve/CVE-2008-1372
suse medium CVE-2008-1372 severity moderate: SUSE including 25 source package names (bzip2-1.0.5-34.246, bzip2-1.0.5-34.253.1, …), 35 product×package rows across 9 product lines (SUSE Linux Enterprise Server 11 SP1, SUSE Linux Enterprise Server 11 SP2, … (9 product lines)): Fixed 35. https://www.suse.com/security/cve/CVE-2008-1372/
ubuntu medium CVE-2008-1372 medium priority: Ubuntu including 1 source packages (bzip2), 5 status rows across 5 suites (dapper, edgy, feisty, gutsy, upstream): released 5. https://ubuntu.com/security/CVE-2008-1372

Vendor comments (NVD) for CVE-2008-1372

  • Red Hat (2008-10-17T00:00:00)

    Red Hat has re-evaluated the potential impact of this flaw and has released an update which corrects this behavior: http://rhn.redhat.com/errata/RHSA-2008-0893.html

Affected software / configurations for CVE-2008-1372

Vendor Product Version Raw CPE
bzip bzip2 0.9 cpe:2.3:a:bzip:bzip2:0.9:*:*:*:*:*:*:*
bzip bzip2 0.9.5a cpe:2.3:a:bzip:bzip2:0.9.5a:*:*:*:*:*:*:*
bzip bzip2 0.9.5b cpe:2.3:a:bzip:bzip2:0.9.5b:*:*:*:*:*:*:*
bzip bzip2 0.9.5c cpe:2.3:a:bzip:bzip2:0.9.5c:*:*:*:*:*:*:*
bzip bzip2 0.9.5d cpe:2.3:a:bzip:bzip2:0.9.5d:*:*:*:*:*:*:*
bzip bzip2 0.9_a cpe:2.3:a:bzip:bzip2:0.9_a:*:*:*:*:*:*:*
bzip bzip2 0.9_b cpe:2.3:a:bzip:bzip2:0.9_b:*:*:*:*:*:*:*
bzip bzip2 0.9_c cpe:2.3:a:bzip:bzip2:0.9_c:*:*:*:*:*:*:*
bzip bzip2 1.0 cpe:2.3:a:bzip:bzip2:1.0:*:*:*:*:*:*:*
bzip bzip2 1.0.1 cpe:2.3:a:bzip:bzip2:1.0.1:*:*:*:*:*:*:*
bzip bzip2 1.0.2 cpe:2.3:a:bzip:bzip2:1.0.2:*:*:*:*:*:*:*
bzip bzip2 1.0.3 cpe:2.3:a:bzip:bzip2:1.0.3:*:*:*:*:*:*:*

References for CVE-2008-1372

URL Tags
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-004.txt.asc
http://kb.vmware.com/kb/1006982
http://kb.vmware.com/kb/1007198
http://kb.vmware.com/kb/1007504
http://lists.apple.com/archives/security-announce/2009/Aug/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html
http://secunia.com/advisories/29410
http://secunia.com/advisories/29475
http://secunia.com/advisories/29497
http://secunia.com/advisories/29506
http://secunia.com/advisories/29656
http://secunia.com/advisories/29677
http://secunia.com/advisories/29698
http://secunia.com/advisories/29940
http://secunia.com/advisories/31204
http://secunia.com/advisories/31869
http://secunia.com/advisories/31878
http://secunia.com/advisories/36096
http://security.gentoo.org/glsa/glsa-200903-40.xml
http://sunsolve.sun.com/search/document.do?assetkey=1-26-241786-1
http://support.apple.com/kb/HT3757
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0118
http://www.bzip.org/CHANGES
http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/
http://www.gentoo.org/security/en/glsa/glsa-200804-02.xml
http://www.ipcop.org/index.php?name=News&file=article&sid=40
http://www.kb.cert.org/vuls/id/813451 US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2008:075
http://www.redhat.com/support/errata/RHSA-2008-0893.html
http://www.securityfocus.com/archive/1/489968/100/0/threaded
http://www.securityfocus.com/archive/1/498863/100/0/threaded
http://www.securityfocus.com/bid/28286 Exploit
http://www.securitytracker.com/id?1020867
http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.473263
http://www.us-cert.gov/cas/techalerts/TA09-218A.html US Government Resource
http://www.vupen.com/english/advisories/2008/0915
http://www.vupen.com/english/advisories/2008/2557
http://www.vupen.com/english/advisories/2009/2172
https://bugs.gentoo.org/attachment.cgi?id=146488&action=view
https://exchange.xforce.ibmcloud.com/vulnerabilities/41249
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10067
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6467
https://usn.ubuntu.com/590-1/
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00165.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00225.html
cvelogic Threat Intelligence