CVE-2020-25467: 
Linux Debian vulnerability analysis and mitigation

A null pointer dereference vulnerability was discovered in the lzodecompressbuf function within stream.c of Irzip version 0.621. This vulnerability was assigned CVE-2020-25467 and was publicly disclosed on June 10, 2021. The vulnerability affects the lrzip compression utility and its implementations across various Linux distributions (NVD, CVE).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) with a CVSS v3.1 Base Score of 5.5 (Medium). The attack vector is Local (L), requiring low attack complexity (L) with no privileges required (N), but user interaction is required (R). The scope is unchanged (U), with no impact on confidentiality (N) or integrity (N), but high impact on availability (H). The complete vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability allows an attacker to cause a denial of service (DOS) via a crafted compressed file. The impact primarily affects system availability, as the null pointer dereference can cause the application to crash (Debian LTS).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has fixed the issue in versions 0.631+git180528-1+deb10u1build0.20.04.1 for 20.04 LTS and 0.631-1+deb9u3build0.18.04.1 for 18.04 LTS. Debian has addressed the vulnerability in version 0.631-1+deb9u2 for Debian 9 stretch (Ubuntu Security, Debian LTS).