Bug 138228 - CAN-2004-1010 buffer overflow when creating archive containing very long filenames.
CAN-2004-1010 buffer overflow when creating archive containing very long file...
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: zip (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Lon Hohberger
: Security
: 138392 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2004-11-05 16:05 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-12-16 15:49:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch which fixes this issue. (676 bytes, patch)
2004-11-05 16:19 EST, Josh Bressers
no flags Details | Diff
New patch to fix the buffer overflow. (968 bytes, patch)
2004-11-06 08:35 EST, Josh Bressers
no flags Details | Diff

  None (edit)
Description Josh Bressers 2004-11-05 16:05:08 EST
A buffer overflow has been found in zip which will lead to a buffer
overflow when a user try to create a zip archive which contains very
long filenames.


This issue is going to affect RHEL2.1 as well.
Comment 1 Josh Bressers 2004-11-05 16:19:27 EST
Created attachment 106240 [details]
Patch which fixes this issue.
Comment 2 Josh Bressers 2004-11-06 08:35:16 EST
Created attachment 106249 [details]
New patch to fix the buffer overflow.

This patch fixes a leak, I was not freeing a malloc'd variable in the previous
Comment 3 Lon Hohberger 2004-11-08 10:28:37 EST
Patch from mailing list:

diff -Nur zip-2.30/unix/unix.c zip-2.30.new/unix/unix.c
--- zip-2.30/unix/unix.c	2004-11-05 14:22:42.957410560 +0100
+++ zip-2.30.new/unix/unix.c	2004-11-05 14:22:03.620390696 +0100
@@ -322,6 +322,9 @@
   char name[FNMAX];
   int len = strlen(f);

+  if (len >= FNMAX)
+    error("file name too long");
   if (f == label) {
     if (a != NULL)
       *a = label_mode;
Comment 5 Josh Bressers 2004-11-08 17:15:46 EST
*** Bug 138392 has been marked as a duplicate of this bug. ***
Comment 7 Josh Bressers 2004-12-16 15:49:33 EST
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.