Date: Wed, 22 Aug 2018 20:11:00 +0100 From: Ben Hutchings <ben@...adent.org.uk> To: oss-security <oss-security@...ts.openwall.com> Cc: Antonio Diaz Diaz <antonio@....org> Subject: Re: Heap-based buffer overflow in zutils zcat On Sun, 2018-08-05 at 21:36 +0800, Ben Hutchings wrote: > A heap-based buffer overflow (CWE-122) was discovered in the zutils > implementation of zcat. It is apparently possible only if the -v > option, or one of the other options that implies -v, is used. > > This seems to have been first discovered in 2016 as a result of > interaction between initramfs-tools and zutils, but was initially > thought to be a bug in the gzip implementation of zcat: > https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1507443 > https://bugs.debian.org/815915 > > It was eventually reported to the zutils upstream developer (Antonio > Diaz Diaz, cc'd) in the last few weeks and was fixed in version > 1.8-pre2. This was announced in: > https://lists.nongnu.org/archive/html/zutils-bug/2018-08/msg00000.html > > I will request a CVE ID for this. This has been designated as CVE-2018-1000637. Ben. -- Ben Hutchings You can't have everything. Where would you put it? Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.