Date: Tue, 15 Sep 2015 18:03:57 +0200 From: Stefan Cornelius <scorneli@...hat.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: Heap overflow and DoS in unzip 6.0 On Mon, 7 Sep 2015 08:57:20 -0300 Gustavo Grieco <gustavo.grieco@...il.com> wrote: > Hello, > > Two issues were found in unzip 6.0: > > * A heap overflow triggered by unzipping a file with password (e.g > unzip -p -P x sigsegv.zip) > * A denegation of service with a file that never finishes unzipping > (e.g. unzip sigxcpu.zip). > > Upstream is notified. Nevertheless the test cases as well as the > valgrind and the adress sanitizer reports of the heap overflow case > are attached (as a single file) in case someone wants to provide some > feedback. These issues were found with QuickFuzz. > > Regards, > Gustavo. Can CVEs be assigned? Thanks in advance, -- Stefan Cornelius / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ