search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ZIP archives containing files with large filenames can cause buffer overflows

Vulnerability Note VU#383779

Original Release Date: 2002-10-02 | Last Revised: 2003-01-06

Overview

Multiple file decompression utilities contain buffer overflow vulnerabilities for which the impacts vary.

Description

Researchers at Rapid7, Inc. have discovered that multiple file decompression utilities are susceptible to buffer overflows as a result of large filenames embedded in crafted ZIP archive files. When affected users attempt to decompress these ZIP files, the buffer overflow may result in execution of arbitrary code.

Impact

The impact of this vulnerability may vary depending upon the product and its execution environment. Typically, successful exploitation of a buffer overflow will allow the attacker to execute arbitrary code with the privileges of the user running the application.

Solution

Apply a patch

The vendor section of this document lists vendors who have been notified of this issue and their responses.

Vendor Information

383779
 
Affected   Unknown   Unaffected

Aladdin Systems Inc.

Notified:  September 30, 2002 Updated:  October 02, 2002

Status

  Vulnerable

Vendor Statement

Aladdin has determined that some versions of StuffIt may be vulnerable to the issue described in this notice.

The result of our findings by platform are:

Macintosh: StuffIt 7.0 including StuffIt Expander, StuffIt Standard Edition, and StuffIt Deluxe are NOT vulnerable. Pre 7.0 versions are potentially vulnerable. We recommend users concerned with earlier versions of StuffIt update to at least version 7.0 of StuffIt Expander which is available as a free component of the StuffIt Standard Edition (trialware) at: http://www.stuffit.com/expander/cert.html.

Windows: StuffIt for Windows 7.5 may be vulnerable when opening an archive to view, but is NOT vulnerable if the archive is expanded via drag & drop or the right-click contextual menu. When available we will make more information and or upgrade links available at: http://www.stuffit.com/expander/cert.html.

Linux/Solaris: StuffIt for Linux and Solaris has been tested and is NOT vulnerable.

Current versions of StuffIt Products are always available at http://www.stuffit.com

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Vulnerable

Vendor Statement

Apple: Apple has determined that versions 6.5.2 and earlier of the Stuffit Expander utility contain the vulnerability described in this notice. Stuffit Expander is provided by Aladdin Systems and is packaged with Mac OS X.

Version 7.0 of Stuffit Expander does not contain this vulnerability, and is available as a free download from the Aladdin Systems web site at: http://www.stuffit.com/expander/cert.html

Customers should download version 7.0 of Stuffit Expander, and remove any earlier versions of Stuffit Expander from their system.

Apple has verified that other decompression utilities packaged with Mac OS X do not contain the vulnerability described in this notice.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Development Corporation

Notified:  July 16, 2002 Updated:  October 24, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Lotus has published Technote 195495 to address this vulnerability. For more information, please see:

Microsoft Corporation

Notified:  July 09, 2002 Updated:  October 04, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has published Security Bulletin MS02-054 to address this vulnerability. For more information, please see

Cray Inc.

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Not Vulnerable

Vendor Statement

Cray, Inc. is not vulnerable as the gzip included in the COS 3.0 package has the mods necessary to address this problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Not Vulnerable

Vendor Statement

Regarding VU#383779, Fujitsu's UXP/V o.s. is not affected. UXP/V does not support ZIP archive decompression utilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  July 16, 2002 Updated:  October 08, 2002

Status

  Not Vulnerable

Vendor Statement

The AIX operating system is not vulnerable to the ZIP archive exploits mentioned above through the compression/decompression utilities that ship with the base operating system.

As always, it's a good idea to list the contents of any archive file before unpacking and understand what changes may result from that action.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  July 16, 2002 Updated:  October 24, 2002

Status

  Not Vulnerable

Vendor Statement

The Juniper Networks Edge Router Division (formerly Unisphere Networks) provides no embedded or application software to handle ZIP archives.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Not Vulnerable

Vendor Statement

sent on September 24, 2002

[Server Products]

* EWS/UP 48 Series operating system
- is NOT vulnerable, since it does not support ZIP utilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Not Vulnerable

Vendor Statement

Netapp products are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  September 13, 2002 Updated:  October 04, 2002

Status

  Not Vulnerable

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We don't include ZIP decompression utilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Not Vulnerable

Vendor Statement

The Solaris unzip utility is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Not Vulnerable

Vendor Statement

Neither SCO Unix products, nor SCO OpenLinux products are vulnerable to this attack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO UnixWare)

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Not Vulnerable

Vendor Statement

Neither SCO Unix products, nor SCO OpenLinux products are vulnerable to this attack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WinZip

Notified:  September 26, 2002 Updated:  October 02, 2002

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox

Notified:  July 16, 2002 Updated:  December 10, 2002

Status

  Not Vulnerable

Vendor Statement

A response to this advisory is available from our web site: http://www.xerox.com/security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Xerox response mentioned above can be access directly via the following URL:

3Com

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc.

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  September 13, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Security Systems Inc.

Notified:  October 07, 2002 Updated:  October 08, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lachman

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  September 13, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Multinet

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Symantec

Notified:  October 23, 2002 Updated:  October 24, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Notified:  July 17, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex

Notified:  October 02, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

zlib.org

Notified:  July 16, 2002 Updated:  October 02, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 50 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was reported to the CERT/CC by Rapid7, Inc.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2002-0370
Severity Metric: 20.25
Date Public: 2002-10-02
Date First Published: 2002-10-02
Date Last Updated: 2003-01-06 21:54 UTC
Document Revision: 22

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.