DynaZip Buffer Overflow in Processing Long Filenames May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1012297
|
|
SecurityTracker URL: http://securitytracker.com/id?1012297
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 22 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 5.00.03 and prior versions
|
Description: A buffer overflow vulnerability was reported in DynaZip. A remote user may be able to execute arbitrary code on the target system.
US-CERT reported that the vulnerability reported by RealNetworks in October 2004 [discovered by eEye Digital Security and documented
in our in Alert ID 1011944] is due to an underlying flaw in the Inner Media DynaZip library.
A remote user can create a zip
file containing specially crafted filenames that, when processed by DynaZip, will trigger the buffer overflow and execute arbitrary
code on the target system.
|
Impact: A remote user may be able to execute arbitrary code on the target system. The specific impact depends on the application using the DynaZip library.
|
Solution: The vendor has released a fixed version (5.00.04).
|
Vendor URL: www.innermedia.com/dz/index.htm (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 22 Nov 2004 17:20:34 -0500
Subject: http://www.kb.cert.org/vuls/id/582498
|
US-CERT reported that InnerMedia DynaZip is vulnerable to the buffer overflow
vulnerability recently disclosed by RealNetworks and eEye Digital Security.
5.00.03 and prior versions are affected.
|
|
