-----BEGIN PGP SIGNED MESSAGE----- Apple Security Advisory APPLE-SA-2002-10-02 Stuffit Expander Description ZIP archives containing files with large filenames can cause a buffer overflow when expanded. Versions 6.5.2 and earlier of the Stuffit Expander utility contain this vulnerability. Affected systems: Systems that contain Stuffit Expander version 6.5.2 or earlier Recommendation Version 7.0 of Stuffit Expander does not contain this vulnerability, and is available as a free download from the Aladdin Systems web site: http://www.stuffit.com/expander/cert.html Customers should download version 7.0 of Stuffit Expander, and remove any earlier versions of the Stuffit Expander application from their system. Details Researchers at Rapid7, Inc. have discovered that multiple file decompression utilities are susceptible to buffer overflows as a result of large filenames embedded in crafted ZIP archive files. When affected users attempt to decompress these ZIP files, the buffer overflow may result in execution of arbitrary code. Apple packages a number of expansion utilities in shipping versions of Mac OS X. Stuffit Expander is provided by Aladdin Systems and is packaged with Mac OS X. We have determined that Stuffit Expander versions 6.5.2 and earlier contain this vulnerability. We have not found this vulnerability to be present in any other expansion utilities shipped with Mac OS X. Version 7.0 of Stuffit Expander does not contain this vulnerability, and is available as a free download from the Aladdin Systems web site at: http://www.stuffit.com/expander/cert.html Customers should download version 7.0 of Stuffit Expander, and remove any earlier versions of the Stuffit Expander application from their system. The Aladdin web site also provides additional information for customers of their other products. CERT has released vulnerability note VU#383779 with further information: http://www.kb.cert.org/vuls/id/383779 This message is signed with Apple's Product Security PGP key, available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQEVAwUBPZtcYCFlYNdE6F9oAQG9TggAnOSF4i495a3jZagy7mOOf/z3YZTkGIkJ UTnR6DF0ayLiK7VtgsDWL7RLzaPWuZPIsm8pWQ+RJvDRh5eov3rxOuT6cQtBBd/4 WVUL7bA2wFI1BUnxE6Sw7LyW9EhdE+fyGsah0TKpthkTL0q9MRqNl4IuHnGCUXur gJyb47+bgSHfaMt8uRcTw7+Jor0Hi9Uvo3MgCFRZ10JYLBR6HE87n5OEPvzaap1D he3H7IRTpNHwGJbfeAlvbr+rGPCEs7HEJc+9K8UL///1i9vh0DTppwjgMz7VOSuv +aTN54TM+mzLcuhxD8GFzjFjFJa+yPPeRscgOLMCeXjviwMIXIlk1A== =6b1E -----END PGP SIGNATURE----- _______________________________________________ security-announce mailing list | security-announce@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce Do not post admin requests to the list. They will be ignored.