Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Jan 2015 18:08:34 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE Request: Info-ZIP unzip 6.0

On Mon, Dec 22, 2014 at 06:14:58PM +0000, mancha wrote:
> Hello.
> 
> OOB access (both read and write) issues exist in test_compr_eb
> (extract.c) that can result in application crash or other unspecified
> impact.
> 
> This vulnerability can be triggered via crafted zip archives with extra
> fields that advertise STORED method compression (i.e. no compression)
> and have uncompressed field sizes smaller than the corresponding
> compressed field sizes.
> 
> This issue is different from CVE-2014-8140 [1].
> 
> Please allocate a CVE identifier for this vulnerability.
> 
> --mancha
> 
> 
> Timeline:
> 
> 2014-10-24: Crasher bundled in afl
> 2014-11-02: Existence of crasher shared on OSS-SEC [2]
> 2014-11-03: Crasher analyzed and fix developed [3]
> 2014-11-03: Maintainer contacted [4]
> 2014-12-22: CVE requested
> 
> ----
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8140
> [2] http://seclists.org/oss-sec/2014/q4/489
> [3] http://seclists.org/oss-sec/2014/q4/507
> [4] http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450


Hello MITRE.

This request seems to have fallen through the cracks. Please advise on
its status.

Many thanks.

--mancha

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ