The Oulu University Secure Programming Group at the University of Oulu, Finland has tested a set of archive formats - ace, arj, bz2, cab, gz, lha, rar, tar, zip and zoo. According to the group, most of the implementations available for evaluation failed to perform in a robust manner.
Some failures had information security implications, and should therefore be considered as vulnerabilities.
CERT-FI and the CPNI have published an advisory which also includes some vendor information. F-Secure, for example, has already patched its products, in response to the alert.
External links:
- “PROTOS Genome Test Suite c10-archive”
- “CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats”
Post a Comment