CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#383779

ZIP archives containing files with large filenames can cause buffer overflows

Overview

Multiple file decompression utilities contain buffer overflow vulnerabilities for which the impacts vary.

I. Description

Researchers at Rapid7, Inc. have discovered that multiple file decompression utilities are susceptible to buffer overflows as a result of large filenames embedded in crafted ZIP archive files. When affected users attempt to decompress these ZIP files, the buffer overflow may result in execution of arbitrary code.

II. Impact

The impact of this vulnerability may vary depending upon the product and its execution environment. Typically, successful exploitation of a buffer overflow will allow the attacker to execute arbitrary code with the privileges of the user running the application.

III. Solution

Apply a patch

The vendor section of this document lists vendors who have been notified of this issue and their responses.

Systems Affected

VendorStatusDate Updated
3ComUnknown2-Oct-2002
Aladdin Systems Inc.Vulnerable2-Oct-2002
AlcatelUnknown2-Oct-2002
Apple Computer Inc.Vulnerable2-Oct-2002
BSDIUnknown2-Oct-2002
Cisco Systems Inc.Unknown2-Oct-2002
Compaq Computer CorporationUnknown2-Oct-2002
Computer AssociatesUnknown2-Oct-2002
ConectivaUnknown2-Oct-2002
Cray Inc.Not Vulnerable2-Oct-2002
Data GeneralUnknown2-Oct-2002
DebianUnknown2-Oct-2002
F5 NetworksUnknown2-Oct-2002
FreeBSDUnknown2-Oct-2002
FujitsuNot Vulnerable2-Oct-2002
Guardian Digital Inc. Unknown2-Oct-2002
Hewlett-Packard CompanyUnknown2-Oct-2002
IBMNot Vulnerable8-Oct-2002
IntelUnknown2-Oct-2002
Internet Security Systems Inc.Unknown8-Oct-2002
Juniper NetworksNot Vulnerable24-Oct-2002
LachmanUnknown2-Oct-2002
Lotus Development CorporationVulnerable24-Oct-2002
LucentUnknown2-Oct-2002
MandrakeSoftUnknown2-Oct-2002
Microsoft CorporationVulnerable4-Oct-2002
MontaVista Software Unknown2-Oct-2002
MultinetUnknown2-Oct-2002
NEC CorporationNot Vulnerable2-Oct-2002
NetBSDUnknown2-Oct-2002
Network ApplianceNot Vulnerable2-Oct-2002
Nortel NetworksUnknown2-Oct-2002
OpenBSDUnknown2-Oct-2002
Openwall GNU/*/Linux Not Vulnerable4-Oct-2002
OracleUnknown2-Oct-2002
Red Hat Inc.Unknown2-Oct-2002
SequentUnknown2-Oct-2002
SGIUnknown2-Oct-2002
Sony CorporationUnknown2-Oct-2002
Sun Microsystems Inc.Not Vulnerable2-Oct-2002
SuSE Inc.Unknown2-Oct-2002
SymantecUnknown24-Oct-2002
The SCO Group (SCO Linux)Not Vulnerable2-Oct-2002
The SCO Group (SCO UnixWare)Not Vulnerable2-Oct-2002
UnisysUnknown2-Oct-2002
Wind River Systems Inc.Unknown2-Oct-2002
WinZipNot Vulnerable2-Oct-2002
WirexUnknown2-Oct-2002
XeroxNot Vulnerable10-Dec-2002
zlib.orgUnknown2-Oct-2002

References


http://www.rapid7.com/advisories/R7-0004.txt

Credit

This vulnerability was reported to the CERT/CC by Rapid7, Inc.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public10/02/2002
Date First Published10/02/2002 04:06:40 PM
Date Last Updated01/06/2003
CERT Advisory 
CVE NameCAN-2002-0370
Metric20.25
Document Revision22

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2002 Carnegie Mellon University