• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Security Advisory APPLE-SA-2002-10-02 Stuffit Expander
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Advisory APPLE-SA-2002-10-02 Stuffit Expander

  • Subject: Security Advisory APPLE-SA-2002-10-02 Stuffit Expander
  • From: Product Security <email@hidden>
  • Date: Wed, 2 Oct 2002 13:53:34 -0700
-----BEGIN PGP SIGNED MESSAGE-----

Apple Security Advisory APPLE-SA-2002-10-02 Stuffit Expander

Description

  ZIP archives containing files with large filenames can cause a
  buffer overflow when expanded.  Versions 6.5.2 and earlier of the
  Stuffit Expander utility contain this vulnerability.

Affected systems:  Systems that contain Stuffit Expander version 6.5.2
or earlier

Recommendation

  Version 7.0 of Stuffit Expander does not contain this vulnerability,
  and is available as a free download from the Aladdin Systems web site:
  http://www.stuffit.com/expander/cert.html

  Customers should download version 7.0 of Stuffit Expander, and remove
  any earlier versions of the Stuffit Expander application from their
  system.

Details

Researchers at Rapid7, Inc. have discovered that multiple file
decompression utilities are susceptible to buffer overflows as a result
of large filenames embedded in crafted ZIP archive files.  When affected
users attempt to decompress these ZIP files, the buffer overflow may
result in execution of arbitrary code.

Apple packages a number of expansion utilities in shipping versions of
Mac OS X.  Stuffit Expander is provided by Aladdin Systems and is
packaged with Mac OS X.  We have determined that Stuffit Expander
versions 6.5.2 and earlier contain this vulnerability.  We have not
found this vulnerability to be present in any other expansion utilities
shipped with Mac OS X.

Version 7.0 of Stuffit Expander does not contain this vulnerability, and
is available as a free download from the Aladdin Systems web site at:
http://www.stuffit.com/expander/cert.html

Customers should download version 7.0 of Stuffit Expander, and remove
any earlier versions of the Stuffit Expander application from their
system.  The Aladdin web site also provides additional information for
customers of their other products.

CERT has released vulnerability note VU#383779 with further information:
http://www.kb.cert.org/vuls/id/383779

This message is signed with Apple's Product Security PGP key, available
at:  http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQEVAwUBPZtcYCFlYNdE6F9oAQG9TggAnOSF4i495a3jZagy7mOOf/z3YZTkGIkJ
UTnR6DF0ayLiK7VtgsDWL7RLzaPWuZPIsm8pWQ+RJvDRh5eov3rxOuT6cQtBBd/4
WVUL7bA2wFI1BUnxE6Sw7LyW9EhdE+fyGsah0TKpthkTL0q9MRqNl4IuHnGCUXur
gJyb47+bgSHfaMt8uRcTw7+Jor0Hi9Uvo3MgCFRZ10JYLBR6HE87n5OEPvzaap1D
he3H7IRTpNHwGJbfeAlvbr+rGPCEs7HEJc+9K8UL///1i9vh0DTppwjgMz7VOSuv
+aTN54TM+mzLcuhxD8GFzjFjFJa+yPPeRscgOLMCeXjviwMIXIlk1A==
=6b1E
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
  • Next by Date: Apple Security Advisory APPLE-SA-2002-10-02 Internet Explorer
  • Next by thread: Apple Security Advisory APPLE-SA-2002-10-02 Internet Explorer
  • Index(es):
    • Date
    • Thread