Numerous products foul up when processing crafted archives
The Finnish Computer Emergency Response Team (CERT-FI) has released a security advisory on vulnerabilities in various products which misbehave when processing crafted archives. Attackers could exploit these to inject code. CERT-F1 discovered the vulnerabilities in conjunction with the University of Oulu using a fuzzing tool. Fuzzing – testing with randomly generated parameter values in the specified file format – generally discovers validation errors in user input processing routines. Vulnerabilities of this kind can frequently be exploited to inject malicious code.
Updates for the discovered vulnerabilities are already available from 7-zip (version 4.5.7), bzip2 (1.0.5), Debian (libarchive), F-Secure, FreeBSD (libarchive), Gentoo (libarchive), RarLab (Version 3.71) and SuSE (libarchive).
Non-vulnerable products tested include Aladdin, Apple, Citrix, Gfi, Microsoft, Oracle, S60Zip, Secgo and Symantec. The status of the other vendors listed by CERT-FI is unknown.
Where relevant, users should install the released updates as soon as possible.
See also:
- CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats, security advisory from CERT-FI
- PROTOS Genome Test Suite c10-archive, fuzzing test provided by the University of Oulu
- Data Salad, heise Security feature on Fuzzing
(mba)