zoo misc.c fullpath() buffer overflow

zoo-misc-bo (24904) The risk level is classified as HighHigh Risk

Description:

zoo is vulnerable to a buffer overflow, caused by improper bounds checking by the fullpath() function in misc.c file. By creating a specially-crafted archive containing an overly long filename or pathname, a local attacker could overflow a buffer and execute arbitrary code on the system once the archive is opened by the target victim.

Platforms Affected:

  • Debian, Debian Linux 3.0
  • Debian, Debian Linux 3.1
  • Gentoo, Linux
  • linux.maruhn.com, zoo 2.10 and prior
  • SuSE, SuSE Linux

Remedy:

For Debian GNU/Linux:
Refer to DSA-991-1 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to GLSA 200603-05 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE Security Summary Report SUSE-SR:2006:005 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for patch or upgrade information.

Consequences:

Gain Access

References:

  • Full-Disclosure Mailing List, Wed Feb 22 2006 - 21:54:58 CST, zoo contains exploitable buffer overflows at http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0567.html.
  • Zoo Web site, Zoo - File archiving utility with compression at http://linux.maruhn.com/sec/zoo.html.
  • BID-16790: Zoo Misc.c Buffer Overflow Vulnerability
  • CVE-2006-0855: Stack-based buffer overflow in the fullpath function in misc.c for zoo 2.10 and earlier, as used in products such as Barracuda Spam Firewall, allows user-assisted attackers to execute arbitrary code via a crafted ZOO file that causes the combine function to return a longer string than expected.
  • DSA-991: zoo -- buffer overflow
  • GLSA-200603-05: zoo: Stack-based buffer overflow
  • SA19002: Zoo "fullpath()" File Name Handling Buffer Overflow
  • SA19514: Barracuda Spam Firewall Archives Buffer Overflow Vulnerabilities
  • SECTRACK ID: 1015668: zoo Buffer Overflow in fullpath() Lets Remote Users Cause Arbitrary Code to Be Executed
  • SECTRACK ID: 1015866: Barracuda Spam Firewall Buffer Overflows in Processing LHA and ZOO Archives Let Remote Users Execute Arbitrary Code
  • SUSE-SR:2006:005: SUSE Security Summary Report
  • SUSE-SR:2006:006: SUSE Security Summary Report
  • VUPEN/ADV-2006-0705: Zoo Filename and Pathname Handling Local Buffer Overflow Vulnerability
  • VUPEN/ADV-2006-1220: Barracuda Spam Firewall Archives Handling Buffer Overflow Vulnerabilities

Reported:

Feb 22, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page