Slashdot Mirror

← Back to Stories (view on slashdot.org)

StuffIt 6.5.x and Earlier Allows Buffer Overflow

Posted by pudge on from the security-good-overflow-bad dept.

A user writes in that Aladdin Systems has announced that StuffIt, versions 6.5.x and earlier for Mac OS and Mac OS X, "may contain a flaw that would cause expanding certain maliciously crafted .zip archives to execute unwanted instructions or code." Aladdin notes that no such "trojan horses" have been reported. StuffIt Expander 7.0 is, as with previous versions, free to download and use.

5 of 62 comments (clear)

  1. Just Use Info-zip For ".zip"s by cmholm · · Score: 5, Informative
    For those who don't want to upgrade to Stuffit Extractor 7.0 for whatever reason:

    If you're using MacOS 9 or earlier, the potential for buffer overflows is meaningless. It wouldn't be the first time your system bailed, anyway.

    For the OS X user, just adjust your browser to make Info-zip the zip file helper, and surf over to Info-zip's site to download the source or binary.

    --
    Luke, help me take this mask off ... Just for once, let me butterfly kiss you with my own eyes.
  2. What about Stuffit Deluxe? I have to upgrade now? by Benley · · Score: 4, Interesting

    Well, what about those of us who bought Stuffit Deluxe 6.5? What if I bought FIFTY COPIES OF IT (for a lab), and I don't feel like paying for an upgrade to 7.0 yet? Looks like I'm screwed. This is not acceptible behaviour! Even Microsoft doesn't (always) act like this when security holes crop up in the previous version of their product. If Aladdin doesn't offer a patch for 6.5, I will be quite annoyed.

    Imagine what would happen if MS stopped fixing security holes in Windows 2000 all of a sudden when Windows XP came out? They would be shot in the street!

    Sorry for the sweeping generalization, but this *really* does not please me.

  3. Heh, buffer overflow in Windows's ZIP handling too by Dahan · · Score: 4, Funny
    Microsoft copying Apple yet again...

    Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q329048):

    Two vulnerabilities exist in the Compressed Folders function:

    • An unchecked buffer exists in the programs that handles the decompressing of files from a zipped file. A security vulnerability results because attempts to open a file with a specially malformed filename contained in a zipped file could possibly result in Windows Explorer failing, or in code of the attacker's choice being run.
    • The decompression function could place a file in a directory that was not the same as, or a child of, the target directory specified by the user as where the decompressed zip files should be placed. This could allow an attacker to put a file in a known location on the users system, such as placing a program in a startup directory
  4. Stuffit Exploits by 0x0d0a · · Score: 4, Interesting

    I've always had sort of a dim view of StuffIt.

    On the one hand, Stuffit has a really incredibly amazingly good interface. You can navigate through a Stuffit archive like the Finder -- it's hierarchical, supports file operations, etc. WinZip, on the other hand, has a truly amazingly awful interface. Whoever decided that it would be a really cool idea to represent files in a flat interface and then throw a big fat toolbar in (I *hate* toolbars...awful UI element) above them should be whacked.

    Anyway, the down side of Stuffit is that it is THE Mac file compression format. Compact Pro has unfortunately fallen by the wayside, and even that contender was, amazingly enough, propriatary. Why the hell can't anyone slap together tar + gzip + macbinary for the MacOS with a GUI (or something a smidgen more complicated, fair enough), so that Mac users aren't beholden to the whims of a single company? If Aladdin wanted to, they could charge $200 for their product. Not for long, but it's disgusting that they have no competition.

    Stuffit's had a long history of being exploitable. Hand it corrupted resources and try to open the file...it crashes. Create an archive containing tens of thousands of locked invisible files at the root of the archive (actually, I think Stuffit clears the lock bit, though invis is still valid), and watch what happens when a poor user drops the archive on Stuffit Expander.

    --
    May we never see th
  5. Non-registration download for Stuffit Expander by foo12 · · Score: 5, Informative

    Going through Aladdin's web site requires you to fill out a short (marketing) form before downloading Expander. Fortunately, Aladdin also has anonymous ftp access

    ftp://ftp.aladdinsys.com/