Vulnerability Note VU#383779
ZIP archives containing files with large filenames can cause buffer overflows
Overview
Multiple file decompression utilities contain buffer overflow vulnerabilities for which the impacts vary.
Description
Researchers at Rapid7, Inc. have discovered that multiple file decompression utilities are susceptible to buffer overflows as a result of large filenames embedded in crafted ZIP archive files. When affected users attempt to decompress these ZIP files, the buffer overflow may result in execution of arbitrary code. |
Impact
The impact of this vulnerability may vary depending upon the product and its execution environment. Typically, successful exploitation of a buffer overflow will allow the attacker to execute arbitrary code with the privileges of the user running the application. |
Solution
Apply a patch The vendor section of this document lists vendors who have been notified of this issue and their responses. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Aladdin Systems Inc. | Affected | 30 Sep 2002 | 02 Oct 2002 |
| Apple Computer Inc. | Affected | 16 Jul 2002 | 02 Oct 2002 |
| Lotus Development Corporation | Affected | 16 Jul 2002 | 24 Oct 2002 |
| Microsoft Corporation | Affected | 09 Jul 2002 | 04 Oct 2002 |
| Cray Inc. | Not Affected | 16 Jul 2002 | 02 Oct 2002 |
| Fujitsu | Not Affected | 16 Jul 2002 | 02 Oct 2002 |
| IBM | Not Affected | 16 Jul 2002 | 08 Oct 2002 |
| Juniper Networks | Not Affected | 16 Jul 2002 | 24 Oct 2002 |
| NEC Corporation | Not Affected | 16 Jul 2002 | 02 Oct 2002 |
| Network Appliance | Not Affected | 16 Jul 2002 | 02 Oct 2002 |
| Openwall GNU/*/Linux | Not Affected | 13 Sep 2002 | 04 Oct 2002 |
| Sun Microsystems Inc. | Not Affected | 16 Jul 2002 | 02 Oct 2002 |
| The SCO Group (SCO Linux) | Not Affected | 16 Jul 2002 | 02 Oct 2002 |
| The SCO Group (SCO UnixWare) | Not Affected | 16 Jul 2002 | 02 Oct 2002 |
| WinZip | Not Affected | 26 Sep 2002 | 02 Oct 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
Credit
This vulnerability was reported to the CERT/CC by Rapid7, Inc.
This document was written by Jeffrey P. Lanza.
Other Information
- CVE IDs: CAN-2002-0370
- Date Public: 02 Oct 2002
- Date First Published: 02 Oct 2002
- Date Last Updated: 06 Jan 2003
- Severity Metric: 20.25
- Document Revision: 22
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.