oss-sec mailing list archives
Re: CVE Request: Info-ZIP unzip 6.0
From: cve-assign () mitre org
Date: Thu, 22 Jan 2015 09:51:40 -0500 (EST)
OOB access (both read and write) issues exist in test_compr_eb (extract.c) that can result in application crash or other unspecified impact. This vulnerability can be triggered via crafted zip archives with extra fields that advertise STORED method compression (i.e. no compression) and have uncompressed field sizes smaller than the corresponding compressed field sizes. This issue is different from CVE-2014-8140 [1]. Please allocate a CVE identifier for this vulnerability. --mancha Timeline: 2014-10-24: Crasher bundled in afl 2014-11-02: Existence of crasher shared on OSS-SEC [2] 2014-11-03: Crasher analyzed and fix developed [3] 2014-11-03: Maintainer contacted [4] 2014-12-22: CVE requested ---- [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8140 [2] http://seclists.org/oss-sec/2014/q4/489 [3] http://seclists.org/oss-sec/2014/q4/507 [4] http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
Use CVE-2014-9636. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- Re: CVE Request: Info-ZIP unzip 6.0 mancha (Jan 20)
- Re: CVE Request: Info-ZIP unzip 6.0 cve-assign (Jan 22)
- <Possible follow-ups>
- Re: CVE Request: Info-ZIP unzip 6.0 Tomas Hoger (Feb 10)
- Re: CVE Request: Info-ZIP unzip 6.0 mancha (Feb 11)
- Re: CVE Request: Info-ZIP unzip 6.0 Steven M. Schweda (Feb 10)
- Re: CVE Request: Info-ZIP unzip 6.0 Steven M. Schweda (Feb 11)