Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 5 Dec 2016 16:27:38 -0600 (CST)
From: "Steven M. Schweda" <sms@...inode.info>
To: tyhicks@...onical.com, oss-security@...ts.openwall.com
Cc: security@...ntu.com, Info-ZIP-Dev@...tley.com
Subject: Re: CVE Request: Info-Zip zipinfo buffer overflow

From: Tyler Hicks <tyhicks@...onical.com>

> >    Thanks for the (thorough, helpful) report.
> 
> I appreciate it but Alexis deserves most of the credit.

   The item in the next History.610 file should resemble:

 - In ZipInfo ("-Z", /ZIPINFO) short-format ("-s", /SHORT, default)
   reports, an unexpectedly large compression method value (>999) caused
   a (mostly harmless) buffer overflow, and spoiled the report format.
   Now, values less than 1000 are displayed as before, using a
   three-digit decimal format, "uDDD", but larger values are displayed
   using a four-digit (unlabled) hexadecimal format, "XXXX".
   https://launchpad.net/bugs/1643750
   (zipinfo.c) [Alexis Vanden Eijnde, Tyler Hicks, SMS]

(Credit is cheap.)

> Thanks for the quick fix. Is there a public code repository available so
> that we can reference a specific commit that fixes this issue?

   No.  We've been thinking about it, though.

> Nope. As you probably noticed, MITRE just assigned a CVE. It likely
> helped that you confirmed the issue.

   Swell.  (One fewer thing I need to know.)

>  Thanks again!

   Same to you (plural).

------------------------------------------------------------------------

   Steven M. Schweda               sms@...inode-info

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.