lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <098CC67E1A8B4B448EFED1D81657977D@localhost>
Date: Mon, 16 May 2011 17:56:30 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerable and completely outdated 3rd party ZIP code in FastStone image viewer

The FastStone image viewer <http://www.faststone.org/> (and most
probably other FastStone products too) contains a 3rd party
ZipDll.dll 1.6.0.0 dated 2001-10-28.

This DLL was originally written by Chris Vleghert and Eric W. Engler,
based on InfoZIPs <http://infozip.org> code from 2000.

It is but vulnerable and completely outdated:  the current version of
the successor <http://dll.delphizip.org/> is 1.90, the oldest version
(1.78.7.3) listed there is from July 2005, almost 4 years newer than
the DLL distributed with the Faststone image viewer.

According to <http://infozip.org/FAQ.html#corruption> all versions of
ZIP prior to 2.31 (November 2004) and UnZIP prior to 5.52
(February/March 2005) are vulnerable.


Vendor was informed via <http://www.faststone.org/contactUs.htm>,
but did not respond at all!


Stefan Kanthak


PS: Tools like Secunia's PSI don't detect such outdated and
    vulnerable DLLs/components, so: user beware!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ