LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for August 28, 2008

Fedora, Red Hat, and distributor security

LWN.net Weekly Edition for August 21, 2008

Standards, the kernel, and Postfix

In defense of Ubuntu

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

unzip: long file name buffer overflow

Package(s):unzip CVE #(s):CVE-2005-4667
Created:February 6, 2006 Updated:May 2, 2007
Description: A buffer overflow in UnZip 5.50 and earlier allows local users to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.
Alerts:
Red Hat RHSA-2007:0203-02 2007-05-01
Fedora-Legacy FLSA:180159 2006-04-04
Debian DSA-1012-1 2006-03-21
Mandriva MDKSA-2006:050 2006-02-27
Ubuntu USN-248-2 2006-02-15
Ubuntu USN-248-1 2006-02-13
Fedora FEDORA-2006-098 2006-02-06
(Log in to post comments)

all versions

Posted Feb 9, 2006 20:39 UTC (Thu) by roelofs (subscriber, #2599) [Link]

... i.e., 5.52 and earlier, as demonstrated in the full-disclosure thread. Looks like it's actually the error-message buffer (reused sliding-window buffer) that's overflowing, in part because the filename is printed three times in that particular message ("foo", "foo.zip", "foo.ZIP").

Fortunately, tcsh doesn't support words that long. Bash-users are hosed, though. ;-)

Greg

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds