Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 15 Sep 2015 18:03:57 +0200
From: Stefan Cornelius <scorneli@...hat.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Heap overflow and DoS in unzip 6.0

On Mon, 7 Sep 2015 08:57:20 -0300
Gustavo Grieco <gustavo.grieco@...il.com> wrote:

> Hello,
> 
> Two issues were found in unzip 6.0:
> 
> * A heap overflow triggered by unzipping a file with password (e.g
> unzip -p -P x sigsegv.zip)
> * A denegation of service with a file that never finishes unzipping
> (e.g. unzip sigxcpu.zip).
> 
> Upstream is notified. Nevertheless the test cases as well as the
> valgrind and the adress sanitizer reports of the heap overflow case
> are attached (as a single file) in case someone wants to provide some
> feedback. These issues were found with QuickFuzz.
> 
> Regards,
> Gustavo.

Can CVEs be assigned?

Thanks in advance,
-- 
Stefan Cornelius / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ