Date: Sun, 05 Aug 2018 21:36:09 +0800 From: Ben Hutchings <ben@...adent.org.uk> To: oss-security <oss-security@...ts.openwall.com> Cc: Antonio Diaz Diaz <antonio@....org> Subject: Heap-based buffer overflow in zutils zcat A heap-based buffer overflow (CWE-122) was discovered in the zutils implementation of zcat. It is apparently possible only if the -v option, or one of the other options that implies -v, is used. This seems to have been first discovered in 2016 as a result of interaction between initramfs-tools and zutils, but was initially thought to be a bug in the gzip implementation of zcat: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1507443 https://bugs.debian.org/815915 It was eventually reported to the zutils upstream developer (Antonio Diaz Diaz, cc'd) in the last few weeks and was fixed in version 1.8-pre2. This was announced in: https://lists.nongnu.org/archive/html/zutils-bug/2018-08/msg00000.html I will request a CVE ID for this. Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them. Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.