LWN.net Logo

unzip: long file name buffer overflow

Package(s):unzip CVE #(s):CVE-2005-4667
Created:February 6, 2006 Updated:May 2, 2007
Description: A buffer overflow in UnZip 5.50 and earlier allows local users to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.
Alerts:
Red Hat RHSA-2007:0203-02 2007-05-01
Fedora-Legacy FLSA:180159 2006-04-04
Debian DSA-1012-1 2006-03-21
Mandriva MDKSA-2006:050 2006-02-27
Ubuntu USN-248-2 2006-02-15
Ubuntu USN-248-1 2006-02-13
Fedora FEDORA-2006-098 2006-02-06

(Log in to post comments)

all versions

Posted Feb 9, 2006 20:39 UTC (Thu) by roelofs (guest, #2599) [Link]

... i.e., 5.52 and earlier, as demonstrated in the full-disclosure thread. Looks like it's actually the error-message buffer (reused sliding-window buffer) that's overflowing, in part because the filename is printed three times in that particular message ("foo", "foo.zip", "foo.ZIP").

Fortunately, tcsh doesn't support words that long. Bash-users are hosed, though. ;-)

Greg

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds