oss-sec mailing list archives
Heap-based buffer overflow in zutils zcat
From: Ben Hutchings <ben () decadent org uk>
Date: Sun, 05 Aug 2018 21:36:09 +0800
A heap-based buffer overflow (CWE-122) was discovered in the zutils implementation of zcat. It is apparently possible only if the -v option, or one of the other options that implies -v, is used. This seems to have been first discovered in 2016 as a result of interaction between initramfs-tools and zutils, but was initially thought to be a bug in the gzip implementation of zcat: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1507443 https://bugs.debian.org/815915 It was eventually reported to the zutils upstream developer (Antonio Diaz Diaz, cc'd) in the last few weeks and was fixed in version 1.8-pre2. This was announced in: https://lists.nongnu.org/archive/html/zutils-bug/2018-08/msg00000.html I will request a CVE ID for this. Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Heap-based buffer overflow in zutils zcat Ben Hutchings (Aug 05)
- Re: Heap-based buffer overflow in zutils zcat Ben Hutchings (Aug 22)
- Re: Heap-based buffer overflow in zutils zcat Antonio Diaz Diaz (Aug 23)
- Re: Heap-based buffer overflow in zutils zcat Ben Hutchings (Aug 22)