Date: Thu, 22 Jan 2015 09:51:40 -0500 (EST) From: cve-assign@...re.org To: mancha <mancha1@...o.com> cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: CVE Request: Info-ZIP unzip 6.0 >> OOB access (both read and write) issues exist in test_compr_eb >> (extract.c) that can result in application crash or other unspecified >> impact. >> >> This vulnerability can be triggered via crafted zip archives with extra >> fields that advertise STORED method compression (i.e. no compression) >> and have uncompressed field sizes smaller than the corresponding >> compressed field sizes. >> >> This issue is different from CVE-2014-8140 . >> >> Please allocate a CVE identifier for this vulnerability. >> >> --mancha >> >> >> Timeline: >> >> 2014-10-24: Crasher bundled in afl >> 2014-11-02: Existence of crasher shared on OSS-SEC  >> 2014-11-03: Crasher analyzed and fix developed  >> 2014-11-03: Maintainer contacted  >> 2014-12-22: CVE requested >> >> ---- >>  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8140 >>  http://seclists.org/oss-sec/2014/q4/489 >>  http://seclists.org/oss-sec/2014/q4/507 >>  http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 Use CVE-2014-9636. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ