Vulnerability Note VU#383779

ZIP archives containing files with large filenames can cause buffer overflows

Original Release date: 02 Oct 2002 | Last revised: 06 Jan 2003

Overview

Multiple file decompression utilities contain buffer overflow vulnerabilities for which the impacts vary.

Description

Researchers at Rapid7, Inc. have discovered that multiple file decompression utilities are susceptible to buffer overflows as a result of large filenames embedded in crafted ZIP archive files. When affected users attempt to decompress these ZIP files, the buffer overflow may result in execution of arbitrary code.

Impact

The impact of this vulnerability may vary depending upon the product and its execution environment. Typically, successful exploitation of a buffer overflow will allow the attacker to execute arbitrary code with the privileges of the user running the application.

Solution

Apply a patch

The vendor section of this document lists vendors who have been notified of this issue and their responses.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Aladdin Systems Inc.Affected30 Sep 200202 Oct 2002
Apple Computer Inc.Affected16 Jul 200202 Oct 2002
Lotus Development CorporationAffected16 Jul 200224 Oct 2002
Microsoft CorporationAffected09 Jul 200204 Oct 2002
Cray Inc.Not Affected16 Jul 200202 Oct 2002
FujitsuNot Affected16 Jul 200202 Oct 2002
IBMNot Affected16 Jul 200208 Oct 2002
Juniper NetworksNot Affected16 Jul 200224 Oct 2002
NEC CorporationNot Affected16 Jul 200202 Oct 2002
Network ApplianceNot Affected16 Jul 200202 Oct 2002
Openwall GNU/*/Linux Not Affected13 Sep 200204 Oct 2002
Sun Microsystems Inc.Not Affected16 Jul 200202 Oct 2002
The SCO Group (SCO Linux)Not Affected16 Jul 200202 Oct 2002
The SCO Group (SCO UnixWare)Not Affected16 Jul 200202 Oct 2002
WinZipNot Affected26 Sep 200202 Oct 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported to the CERT/CC by Rapid7, Inc.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: CAN-2002-0370
  • Date Public: 02 Oct 2002
  • Date First Published: 02 Oct 2002
  • Date Last Updated: 06 Jan 2003
  • Severity Metric: 20.25
  • Document Revision: 22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.