Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <30557829.A2gxmV9TRs@neon>
Date: Fri, 19 Aug 2011 13:36:31 +0200
From: Alex Legler <a3li@...too.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: BusyBox unpack_Z_stream() buffer underflow

Hi,

Secunia [1] reported a fix in BusyBox for a flaw similar to CVE-2006-1168:

"The vulnerability is caused due to a boundary error within the 
"unpack_Z_stream()" function (archival/libarchive/decompress_uncompress.c) and 
can be exploited to cause a buffer underflow via a specially crafted 
datastream."

Patch is available at [2], our bug is [3].

Please assign a CVE.

Thanks,
Alex

[1] http://secunia.com/advisories/45702/
[2] 
http://git.busybox.net/busybox/diff/archival/libarchive/decompress_uncompress.c?id=251fc70e9722f931eec23a34030d05ba5f747b0e
[3] https://bugs.gentoo.org/show_bug.cgi?id=379857

-- 
Alex Legler <a3li@...too.org>
Gentoo Security / Ruby
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.