Date: Tue, 20 Jan 2015 18:08:34 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE Request: Info-ZIP unzip 6.0 On Mon, Dec 22, 2014 at 06:14:58PM +0000, mancha wrote: > Hello. > > OOB access (both read and write) issues exist in test_compr_eb > (extract.c) that can result in application crash or other unspecified > impact. > > This vulnerability can be triggered via crafted zip archives with extra > fields that advertise STORED method compression (i.e. no compression) > and have uncompressed field sizes smaller than the corresponding > compressed field sizes. > > This issue is different from CVE-2014-8140 . > > Please allocate a CVE identifier for this vulnerability. > > --mancha > > > Timeline: > > 2014-10-24: Crasher bundled in afl > 2014-11-02: Existence of crasher shared on OSS-SEC  > 2014-11-03: Crasher analyzed and fix developed  > 2014-11-03: Maintainer contacted  > 2014-12-22: CVE requested > > ---- >  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8140 >  http://seclists.org/oss-sec/2014/q4/489 >  http://seclists.org/oss-sec/2014/q4/507 >  http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 Hello MITRE. This request seems to have fallen through the cracks. Please advise on its status. Many thanks. --mancha [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ