Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 05 Aug 2018 21:36:09 +0800
From: Ben Hutchings <>
To: oss-security <>
Cc: Antonio Diaz Diaz <>
Subject: Heap-based buffer overflow in zutils zcat

A heap-based buffer overflow (CWE-122) was discovered in the zutils
implementation of zcat.  It is apparently possible only if the -v
option, or one of the other options that implies -v, is used.

This seems to have been first discovered in 2016 as a result of
interaction between initramfs-tools and zutils, but was initially
thought to be a bug in the gzip implementation of zcat:

It was eventually reported to the zutils upstream developer (Antonio
Diaz Diaz, cc'd) in the last few weeks and was fixed in version
1.8-pre2.  This was announced in:

I will request a CVE ID for this.


Ben Hutchings
One of the nice things about standards is that
there are so many of them.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ