Bug: Compression Plus and Tumblweed EMF Stack Overflow ( Ascii Version )

Search:
WLB2

Compression Plus and Tumblweed EMF Stack Overflow

Published
Credit
Risk
2006.09.08
Michael Hale Ligh (michael ligh mnin org)
Medium
CWE
CVE
Local
Remote
N/A
CVE-2006-4554
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.1/10
6.4/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

The Compression Plus library is designed to handle de/compression of
popular archiving formats such as ARC, ARK, PAK, ARJ, CAB, GZ, LBR, TAR,
TAZ, TGZ, Z, ZIP, and ZOO. The code fails to properly validate input
while processing specially crafted ZOO files, which results in a
stack-based buffer overflow. Software products that implement the
Compression Plus library are vulnerable to local or remote code
execution, depending on the nature of the calling process.

Details are available from the following URL:

http://www.mnin.org/advisories/2006_cp5_tweed.pdf

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version