Reported February 28, 2004 by iDefense.

 

 

VERSIONS AFFECTED

 

  • WinZip 9.0 latest beta

  • WinZip 8.1 Service Release-1 (SR-1), possibly earlier versions

 

DESCRIPTION

 

A buffer overflow vulnerability in WinZip can result in the arbitrary execution of code on the vulnerable system. This vulnerability is a result of a flaw in the parameter parsing routine. WinZip will crash when it provides long strings to certain parameters of MIME archives (.mim, .uue, .uu, .b64, .bhx, .hqx, and .xxe extensions).

 

 

VENDOR RESPONSE

 

WinZip has made available version 9.0, which doesn’t have the buffer overflow vulnerability.

 

CREDIT

Discovered by iDefense.