-----BEGIN PGP SIGNED MESSAGE----- Apple Security Advisory APPLE-SA-2002-10-15 StuffIt Expander StuffIt Expander version 7 is now available via Apple Software Update for systems running Mac OS X 10.2 or later. As a convenience to our customers we are providing an alternative means to obtain the update, as it has been available via the Aladdin web site since the announcement of this vulnerability on October 2. Description ZIP archives containing files with large filenames can cause a buffer overflow when expanded. Versions 6.5.2 and earlier of the Stuffit Expander utility contain this vulnerability. CVE ID: CAN-2002-0370 Affected systems: Systems that contain Stuffit Expander version 6.5.2 or earlier Recommendation Install version 7.0 of Stuffit Expander available from: * Software Update in System Preferences (for Mac OS X 10.2 or later) * Aladdin Systems web site (free download): http://www.stuffit.com/expander/cert.html Customers should download version 7.0 of Stuffit Expander, and remove any earlier versions of the Stuffit Expander application from their system. Details Researchers at Rapid7, Inc. have discovered that multiple file decompression utilities are susceptible to buffer overflows as a result of large filenames embedded in crafted ZIP archive files. When affected users attempt to decompress these ZIP files, the buffer overflow may result in execution of arbitrary code. Apple packages a number of expansion utilities in shipping versions of Mac OS X. Stuffit Expander is provided by Aladdin Systems and is packaged with Mac OS X. We have determined that Stuffit Expander versions 6.5.2 and earlier contain this vulnerability. We have not found this vulnerability to be present in any other expansion utilities shipped with Mac OS X. Version 7.0 of Stuffit Expander does not contain this vulnerability, and is available as a free download from the Aladdin Systems web site at: http://www.stuffit.com/expander/cert.html Customers should download version 7.0 of Stuffit Expander, and remove any earlier versions of the Stuffit Expander application from their system. The Aladdin web site also provides additional information for customers of their other products. CERT has released vulnerability note VU#383779 with further information: http://www.kb.cert.org/vuls/id/383779 This message is signed with Apple's Product Security PGP key, available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQEVAwUBPazGUyFlYNdE6F9oAQHi1wf/Vi36XORkN/v/zta+tJNBK11WB8f0JTpk PiXpIFFDrDLm/b5KnkRpsFPwrlZ6yOx+XuqxhPeBaXLbFkVt3J7gb6mQYnGXH84Q 6xJp11/HP9+pXTxnfP1vjtCyYk5Nj+XdN9p2EKwhzZ/9YMVCLIplAiiC3W/dUvrN PIK29TqTYxKpryO9uKYfydWuRpXWTvTNMMPBnyWwHAGHGWu76br4lUXLL9gjPejp 2z1PrycHg1VxPBSQAPG/1SOTxBXh/SBRWr18c5A36aLID546Uf69Zl4dU7LRvRS6 69uU/mSyIzv1BU9DaGKhkX6d6QrxiqbRN4qSG9Jq7Rbm/YopzP5Wmg== =eyTS -----END PGP SIGNATURE----- _______________________________________________ security-announce mailing list | security-announce@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce Do not post admin requests to the list. They will be ignored.