StuffIt 6.5.x and Earlier Allows Buffer Overflow

A user writes in that Aladdin Systems has announced that StuffIt, versions 6.5.x and earlier for Mac OS and Mac OS X, "may contain a flaw that would cause expanding certain maliciously crafted .zip archives to execute unwanted instructions or code." Aladdin notes that no such "trojan horses" have been reported. StuffIt Expander 7.0 is, as with previous versions, free to download and use.

Conspiracy theory

[Swumpy]

Or perhaps Aladdin just wants us to upgrade to Stuffit Expander 7, so they made up a security flaw to push their new "sitx" format...

What about Stuffit Deluxe? I have to upgrade now?

[Benley]

Well, what about those of us who bought Stuffit Deluxe 6.5? What if I bought FIFTY COPIES OF IT (for a lab), and I don't feel like paying for an upgrade to 7.0 yet? Looks like I'm screwed. This is not acceptible behaviour! Even Microsoft doesn't (always) act like this when security holes crop up in the previous version of their product. If Aladdin doesn't offer a patch for 6.5, I will be quite annoyed.

Imagine what would happen if MS stopped fixing security holes in Windows 2000 all of a sudden when Windows XP came out? They would be shot in the street!

Sorry for the sweeping generalization, but this *really* does not please me.

Stuffit Exploits

[0x0d0a]

I've always had sort of a dim view of StuffIt.

On the one hand, Stuffit has a really incredibly amazingly good interface. You can navigate through a Stuffit archive like the Finder -- it's hierarchical, supports file operations, etc. WinZip, on the other hand, has a truly amazingly awful interface. Whoever decided that it would be a really cool idea to represent files in a flat interface and then throw a big fat toolbar in (I *hate* toolbars...awful UI element) above them should be whacked.

Anyway, the down side of Stuffit is that it is THE Mac file compression format. Compact Pro has unfortunately fallen by the wayside, and even that contender was, amazingly enough, propriatary. Why the hell can't anyone slap together tar + gzip + macbinary for the MacOS with a GUI (or something a smidgen more complicated, fair enough), so that Mac users aren't beholden to the whims of a single company? If Aladdin wanted to, they could charge $200 for their product. Not for long, but it's disgusting that they have no competition.

Stuffit's had a long history of being exploitable. Hand it corrupted resources and try to open the file...it crashes. Create an archive containing tens of thousands of locked invisible files at the root of the archive (actually, I think Stuffit clears the lock bit, though invis is still valid), and watch what happens when a poor user drops the archive on Stuffit Expander.

Re:What about Stuffit Deluxe? I have to upgrade no

[tbmaddux]

Imagine what would happen if MS stopped fixing security holes in Windows 2000 all of a sudden when Windows XP came out? They would be shot in the street!

You mean like when they stopped fixing holes in Office 97?

I feel your pain.

Info-zip is already installed

[gidds]

surf over to Info-zip's site to download the source or binary.

Why bother, when it's already installed as part of Mac OS X? There's no manpage, but the executable is /usr/bin/zip (and /usr/bin/unzip). The 10.2.1 version says:

Copyright (C) 1990-1996 Mark Adler, Richard B. Wales, Jean-loup Gailly Onno van der Linden and Kai Uwe Rommel. Type 'zip -L' for the software License.
This is Zip 2.1 (April 27th 1996), by Info-ZIP.
...
Compiled with gcc Apple cpp-precomp 6.14 for Unix (Apple Mac OS X) on 07/14/02.