Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Jan 2015 18:08:34 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE Request: Info-ZIP unzip 6.0

On Mon, Dec 22, 2014 at 06:14:58PM +0000, mancha wrote:
> Hello.
> 
> OOB access (both read and write) issues exist in test_compr_eb
> (extract.c) that can result in application crash or other unspecified
> impact.
> 
> This vulnerability can be triggered via crafted zip archives with extra
> fields that advertise STORED method compression (i.e. no compression)
> and have uncompressed field sizes smaller than the corresponding
> compressed field sizes.
> 
> This issue is different from CVE-2014-8140 [1].
> 
> Please allocate a CVE identifier for this vulnerability.
> 
> --mancha
> 
> 
> Timeline:
> 
> 2014-10-24: Crasher bundled in afl
> 2014-11-02: Existence of crasher shared on OSS-SEC [2]
> 2014-11-03: Crasher analyzed and fix developed [3]
> 2014-11-03: Maintainer contacted [4]
> 2014-12-22: CVE requested
> 
> ----
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8140
> [2] http://seclists.org/oss-sec/2014/q4/489
> [3] http://seclists.org/oss-sec/2014/q4/507
> [4] http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450


Hello MITRE.

This request seems to have fallen through the cracks. Please advise on
its status.

Many thanks.

--mancha

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.