Re: [HV-LOW] Symantec LiveUpdate issues may cause DoS

[<secure () symantec com>]

Symantec is aware of this posting. Symantec engineers are reviewing the issue.  If it is validated we will respond 
accordingly.  

According to HexView's advisory, Symantec was notified 2004-11-03 and did not respond prior to HexView's posting.  
However, HexView's initial notification to Symantec was received late afternoon on 2004-11-03 and Symantec's initial 
response acknowledgement and offer of coordination in reviewing and reporting if found to be valid went back to HexView 
the following morning, 2004-11-04, well within the 24 hour window that is published in their stated disclosure policy.  
No further communications of any nature have been received from HexView concerning this issue.

Symantec takes the security of our products seriously and is a responsible disclosure organization.  We would like to 
work directly with anyone who believes they have found a security issue in a Symantec product to validate the problem 
and coordinate a response.  

Please contact secure () symantec com concerning security issues with Symantec products.

Symantec Product Security
secure () symantec com
-----------------------------------------

vuln () hexview com 

To
bugtraq () securityfocus com, full-disclosure () lists netsys com
cc

Subject
[HV-LOW] Symantec LiveUpdate issues may cause DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Symantec LiveUpdate issues may cause DoS

Classification:
===============
Level: [LOW]-med-high-crit
ID: HEXVIEW*2004*11*04*1
URL: http://www.hexview.com/docs/20041104-1.txt

Overview:
=========
Symantec LiveUpdate is an application designed to provide timely updates for Symantec products. LiveUpdate downloads 
zip-archived packages, decompresses them, verifies signatures, and finally installs the updates. HexView discovered two 
problems
with LiveUpdate: decompression routine does not check for uncompressed file sizes and no validation is performed on 
directory names.

----------------------snip-------------------------------------------
Vendor Status:
==============
Symantec was notified on 2004-11-03. No response received.

About HexView:
==============
HexView contributes to online security-related lists for almost a decade. The scope of our expertize spreads over 
Windows, Linux, Sun, MacOS platforms, network applications, and embedded devices. The chances are you read our 
advisories or disclosures. For more information visit
http://www.hexview.com

----------------------snip-----------------------------
HexView Disclosure Policy:
==========================
HexView notifies vendors that have publicly available contact e-mail 24 hours before disclosing any information to the 
public. If we are unable to find vendor's e-mail address or if no reply is received within 24 hours, HexView will 
publish vulnerability notification including all technical details unless the issue is rated as "critical". If vendor 
does not reply within 72 hours, HexView may disclose all details for
critical vulnerabilities as well.

If vendor replies within the above mentioned time period, HexView will announce the vulnerability, but will not 
disclose the details required to reproduce it. HexView will also specify the date when full disclosure
containing all the details will be published. The time period between announcement and full disclosure is 30 days 
unless there is an agreement with vendor and appropriate justification for extension. If vendor
resolves the issue earlier than 30 days after  announcement, HexView will publish full disclosure as soon as the fix is 
available to the public.