StuffIt Expander available via Software Update
StuffIt Expander available via Software Update
- Subject: StuffIt Expander available via Software Update
- From: Product Security <email@hidden>
- Date: Tue, 15 Oct 2002 18:54:40 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Apple Security Advisory APPLE-SA-2002-10-15 StuffIt Expander
StuffIt Expander version 7 is now available via Apple Software Update
for systems running Mac OS X 10.2 or later. As a convenience to our
customers we are providing an alternative means to obtain the update, as
it has been available via the Aladdin web site since the announcement of
this vulnerability on October 2.
Description
ZIP archives containing files with large filenames can cause a buffer
overflow when expanded. Versions 6.5.2 and earlier of the Stuffit
Expander utility contain this vulnerability.
CVE ID: CAN-2002-0370
Affected systems: Systems that contain Stuffit Expander version 6.5.2
or earlier
Recommendation
Install version 7.0 of Stuffit Expander available from:
* Software Update in System Preferences (for Mac OS X 10.2 or later)
* Aladdin Systems web site (free download):
http://www.stuffit.com/expander/cert.html
Customers should download version 7.0 of Stuffit Expander, and remove
any earlier versions of the Stuffit Expander application from their
system.
Details
Researchers at Rapid7, Inc. have discovered that multiple file
decompression utilities are susceptible to buffer overflows as a result
of large filenames embedded in crafted ZIP archive files. When affected
users attempt to decompress these ZIP files, the buffer overflow may
result in execution of arbitrary code.
Apple packages a number of expansion utilities in shipping versions of
Mac OS X. Stuffit Expander is provided by Aladdin Systems and is
packaged with Mac OS X. We have determined that Stuffit Expander
versions 6.5.2 and earlier contain this vulnerability. We have not
found this vulnerability to be present in any other expansion utilities
shipped with Mac OS X.
Version 7.0 of Stuffit Expander does not contain this vulnerability, and
is available as a free download from the Aladdin Systems web site at:
http://www.stuffit.com/expander/cert.html
Customers should download version 7.0 of Stuffit Expander, and remove
any earlier versions of the Stuffit Expander application from their
system. The Aladdin web site also provides additional information for
customers of their other products.
CERT has released vulnerability note VU#383779 with further information:
http://www.kb.cert.org/vuls/id/383779
This message is signed with Apple's Product Security PGP key, available
at: http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQEVAwUBPazGUyFlYNdE6F9oAQHi1wf/Vi36XORkN/v/zta+tJNBK11WB8f0JTpk
PiXpIFFDrDLm/b5KnkRpsFPwrlZ6yOx+XuqxhPeBaXLbFkVt3J7gb6mQYnGXH84Q
6xJp11/HP9+pXTxnfP1vjtCyYk5Nj+XdN9p2EKwhzZ/9YMVCLIplAiiC3W/dUvrN
PIK29TqTYxKpryO9uKYfydWuRpXWTvTNMMPBnyWwHAGHGWu76br4lUXLL9gjPejp
2z1PrycHg1VxPBSQAPG/1SOTxBXh/SBRWr18c5A36aLID546Uf69Zl4dU7LRvRS6
69uU/mSyIzv1BU9DaGKhkX6d6QrxiqbRN4qSG9Jq7Rbm/YopzP5Wmg==
=eyTS
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.