Slashdot Mirror
StuffIt 6.5.x and Earlier Allows Buffer Overflow
A user writes in that Aladdin Systems has announced that StuffIt, versions 6.5.x and earlier for Mac OS and Mac OS X, "may contain a flaw that would cause expanding certain maliciously crafted .zip archives to execute unwanted instructions or code." Aladdin notes that no such "trojan horses" have been reported. StuffIt Expander 7.0 is, as with previous versions, free to download and use.
My first experience with stuffit expander 7 was a very slow one compared to the previous version (that came with Jagwyre). So I downgrades first chance.
You shouldn't be using zip files on mac in general unless it is some sort of code or something. Malicious code would require a specific target platform of the mac to do anything substantial, and being that nobody in their right mind would create zip files for mac, i don't see much problem.
What we see depends on mainly what we look for. -- John Lubbock Now search for that bug slave!
What tune is it sung to and can I get an mp3 of it? I will enjoy playing it on my Mac. Too bad your windows box will lock up long before it can encode your song. Guess I will never be able to hear it.
Big FOX =^,^= What do you mean it's broken? I fixed it yesterday!
...and I was just recently wondering why I might upgrade, thinking that I would wait until someone sent something that I couldn't open.
there are not many viruses/trojans/attacks for mac systems, has the throwing of OSX into the public raised more attacks from the evil computer users?
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
If you're using MacOS 9 or earlier, the potential for buffer overflows is meaningless. It wouldn't be the first time your system bailed, anyway.
For the OS X user, just adjust your browser to make Info-zip the zip file helper, and surf over to Info-zip's site to download the source or binary.
Luke, help me take this mask off
Or perhaps Aladdin just wants us to upgrade to Stuffit Expander 7, so they made up a security flaw to push their new "sitx" format...
Well, what about those of us who bought Stuffit Deluxe 6.5? What if I bought FIFTY COPIES OF IT (for a lab), and I don't feel like paying for an upgrade to 7.0 yet? Looks like I'm screwed. This is not acceptible behaviour! Even Microsoft doesn't (always) act like this when security holes crop up in the previous version of their product. If Aladdin doesn't offer a patch for 6.5, I will be quite annoyed.
Imagine what would happen if MS stopped fixing security holes in Windows 2000 all of a sudden when Windows XP came out? They would be shot in the street!
Sorry for the sweeping generalization, but this *really* does not please me.
I used to use StuffIt Deluxe a long time ago until it seemed as though each new OS revision (not even version) would break something of the product, warranting a product update. Either the main app or the problematic total finder integration StuffIt/Magic menu would be hosed. So I lost patience and stopped upgrading.
With OS X why bother using StuffIt when you can create a compressed disk image? There's always Expander--which is a very nice, and free, product--when you have to extract SIT files.
Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q329048):
Two vulnerabilities exist in the Compressed Folders function:
I've always had sort of a dim view of StuffIt.
On the one hand, Stuffit has a really incredibly amazingly good interface. You can navigate through a Stuffit archive like the Finder -- it's hierarchical, supports file operations, etc. WinZip, on the other hand, has a truly amazingly awful interface. Whoever decided that it would be a really cool idea to represent files in a flat interface and then throw a big fat toolbar in (I *hate* toolbars...awful UI element) above them should be whacked.
Anyway, the down side of Stuffit is that it is THE Mac file compression format. Compact Pro has unfortunately fallen by the wayside, and even that contender was, amazingly enough, propriatary. Why the hell can't anyone slap together tar + gzip + macbinary for the MacOS with a GUI (or something a smidgen more complicated, fair enough), so that Mac users aren't beholden to the whims of a single company? If Aladdin wanted to, they could charge $200 for their product. Not for long, but it's disgusting that they have no competition.
Stuffit's had a long history of being exploitable. Hand it corrupted resources and try to open the file...it crashes. Create an archive containing tens of thousands of locked invisible files at the root of the archive (actually, I think Stuffit clears the lock bit, though invis is still valid), and watch what happens when a poor user drops the archive on Stuffit Expander.
May we never see th
I like it.
Big FOX =^,^= What do you mean it's broken? I fixed it yesterday!
I would cut my balls off to prevent that from happening again.
Than I would ship you off to school in Israel because it might put an end to the fighting and get rid of you all at once.
They would unite in your death than forget about hating eachother.
Big FOX =^,^= What do you mean it's broken? I fixed it yesterday!
Going through Aladdin's web site requires you to fill out a short (marketing) form before downloading Expander. Fortunately, Aladdin also has anonymous ftp access
ftp://ftp.aladdinsys.com/
I have Stuffit Deluxe 6.5 and Stuffit Expander, they work fine together. Just set .sit, .zip, .gz, etc to open with Stuffit Expander. It sounds like the problem is just with extracting, not archiving, so you should be ok.
Will you please stop arguing on the side of the PC users? No really, I mean it. Seriously, who would want such a blathering, mindless, crude, rambling, idiotic, unevolved neanderthal on their side? Now shut your cheeks, hold your breath, and put youself out of our misery.
Can anyone explain this or give a good link? I've read about them from a news point of view, but I'm interested in how a buffer underun allows someone to execute arbitrary code.
Hmm...looks like I broke your brain. Sorry about that dude.
It's the most common, but it's far from the only format available.
I don't believe them, they just want us to update to 7.0 so they can put us adds about there great piece of shit. OS X makes it so fun to use tar and bzip2!
I feel your pain.
Can't you see that everyone is buying station wagons?
Why bother, when it's already installed as part of Mac OS X? There's no manpage, but the executable is /usr/bin/zip (and /usr/bin/unzip). The 10.2.1 version says:
Ceterum censeo subscriptionem esse delendam.
Kind of convenient that they announce a flaw in an old product soon after the release of a chargeable upgrade
Now you've done it. He's going to stalk you all over slashdot like he stalks me.
T Money
World Domination with a plastic spoon since 1984
You don't need to upgrade all 50 of your Stuffit deluxe apps. Just download the 7.0 expander, which is FREE, and be sure to use that when decompressing .zip files. You can still use Stuffit Deluxe 6.5's compression to your hearts content, or decompression of .sit files.
Geez
Here is a version of gnutar that handles resource forks.
According to their website, StuffIt 6.5 was first shipped in September 2001. Office 97 was shipped, well, around 1997. Big difference.
Okay, besides the pointlessness of bothering, you can only get Stuffit Expander now as part of Stuffit Standard Edition.
.sit format as gzip compression is actually better anyway.
.sit files.
You can't get Expander as a separate download.
Aladdin is making up the known trojans claim, there aren't any besides, anything like that would have to be downloaded first to begin with.
Me? I just use gzip unless someone insists on posting something in
There is also a GuI app called OpenUp that is open source but, can't open