oss-sec mailing list archives
Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary
From: Thomas Klausner <tk () giga or at>
Date: Mon, 23 Mar 2015 22:45:12 +0100
On Thu, Mar 19, 2015 at 08:31:14AM +1300, Emmanuel Law wrote:
Yup we realised that and notified libzip. On 19/03/2015 8:05 am, "Timo Warns" <Timo.Warns () gmail com> wrote:On 2015-03-18, Emmanuel Law wrote:found an integer overflow in PHP. When processing a malform zip file with many entires, it leads to a heap overflow. Affected Version <= PHP 5.6.6 Bug Report: https://bugs.php.net/bug.php?id=69253 Patch:https://github.com/php/php-src/commit/ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 This looks like it may also affect libzip upstream (http://hg.nih.at/libzip/file/fa78ab51417f/lib/zip_dirent.c) Was upstream (in copy) informed about the issue?
We have since fixed this: http://hg.nih.at/libzip/rev/9f11d54f692e Thanks! Thomas
Current thread:
- CVE Request: ZIP Integer Overflow leads to writing past heap boundary Emmanuel Law (Mar 18)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary cve-assign (Mar 18)
- Re: Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Timo Warns (Mar 18)
- Re: Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Emmanuel Law (Mar 18)
- Re: Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Timo Warns (Mar 18)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Timo Warns (Mar 18)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Emmanuel Law (Mar 18)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Thomas Klausner (Mar 23)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Emmanuel Law (Mar 18)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary cve-assign (Mar 18)