Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Apple

StuffIt 6.5.x and Earlier Allows Buffer Overflow 62

Posted by pudge from the security-good-overflow-bad dept.
A user writes in that Aladdin Systems has announced that StuffIt, versions 6.5.x and earlier for Mac OS and Mac OS X, "may contain a flaw that would cause expanding certain maliciously crafted .zip archives to execute unwanted instructions or code." Aladdin notes that no such "trojan horses" have been reported. StuffIt Expander 7.0 is, as with previous versions, free to download and use.
This discussion has been archived. No new comments can be posted.

StuffIt 6.5.x and Earlier Allows Buffer Overflow More

StuffIt 6.5.x and Earlier Allows Buffer Overflow

Comments Filter:

  • Is this really a problem? (Score:3, Informative)

    by jpt.d ( 444929 ) <abfall@@@rogers...com> on Wednesday October 02, 2002 @10:57PM (#4378562)
    My first experience with stuffit expander 7 was a very slow one compared to the previous version (that came with Jagwyre). So I downgrades first chance.

    You shouldn't be using zip files on mac in general unless it is some sort of code or something. Malicious code would require a specific target platform of the mac to do anything substantial, and being that nobody in their right mind would create zip files for mac, i don't see much problem.
    • Sometimes people do need to transfer files from PC to Mac, and often Zip is the only compression scheme available to those PC users.
    • For a couple of years, I was downloading an awful lot of maps for UT in ZIP files. Also, back in the mid-90's, I was downloading .QWK packets in ZIP format for an offline mail reader. But I don't download that many ZIP files these days; I think the last one was likely some Wallpaper from Blizzard that I flipped horizontally and converted to JPEG from BMP.

  • timing (Score:1, Flamebait)

    by stego ( 146071 )
    ...and I was just recently wondering why I might upgrade, thinking that I would wait until someone sent something that I couldn't open.
  • there are not many viruses/trojans/attacks for mac systems, has the throwing of OSX into the public raised more attacks from the evil computer users?
    • There are still no known Mac OS X virii/trojans/worms last time I checked, but while this makes me very happy as an OS X user I'm not naive enough to believe this will be the case forever. Eventually a few will come our way just like on OS 9 and earlier OSes, but Windows will always get more because A) their security record is horrible and B) why write a virus for 5% of the market when you can hit 90% of the market?

  • Just Use Info-zip For ".zip"s (Score:5, Informative)

    by cmholm ( 69081 ) <cmholm@ma u i h o l m . org> on Wednesday October 02, 2002 @11:36PM (#4378702) Homepage Journal
    For those who don't want to upgrade to Stuffit Extractor 7.0 for whatever reason:

    If you're using MacOS 9 or earlier, the potential for buffer overflows is meaningless. It wouldn't be the first time your system bailed, anyway.

    For the OS X user, just adjust your browser to make Info-zip the zip file helper, and surf over to Info-zip's [info-zip.org] site to download the source or binary.

    • surf over to Info-zip's site to download the source or binary.

      Why bother, when it's already installed as part of Mac OS X? There's no manpage, but the executable is /usr/bin/zip (and /usr/bin/unzip). The 10.2.1 version says:

      Copyright (C) 1990-1996 Mark Adler, Richard B. Wales, Jean-loup Gailly Onno van der Linden and Kai Uwe Rommel. Type 'zip -L' for the software License.
      This is Zip 2.1 (April 27th 1996), by Info-ZIP.
      ...
      Compiled with gcc Apple cpp-precomp 6.14 for Unix (Apple Mac OS X) on 07/14/02.

  • Conspiracy theory (Score:2, Interesting)

    by Swumpy ( 241486 )
    Or perhaps Aladdin just wants us to upgrade to Stuffit Expander 7, so they made up a security flaw to push their new "sitx" format...

  • What about Stuffit Deluxe? I have to upgrade now? (Score:4, Interesting)

    by Benley ( 102665 ) on Thursday October 03, 2002 @12:29AM (#4378875) Journal

    Well, what about those of us who bought Stuffit Deluxe 6.5? What if I bought FIFTY COPIES OF IT (for a lab), and I don't feel like paying for an upgrade to 7.0 yet? Looks like I'm screwed. This is not acceptible behaviour! Even Microsoft doesn't (always) act like this when security holes crop up in the previous version of their product. If Aladdin doesn't offer a patch for 6.5, I will be quite annoyed.

    Imagine what would happen if MS stopped fixing security holes in Windows 2000 all of a sudden when Windows XP came out? They would be shot in the street!

    Sorry for the sweeping generalization, but this *really* does not please me.

  • I used to use StuffIt Deluxe a long time ago until it seemed as though each new OS revision (not even version) would break something of the product, warranting a product update. Either the main app or the problematic total finder integration StuffIt/Magic menu would be hosed. So I lost patience and stopped upgrading.

    With OS X why bother using StuffIt when you can create a compressed disk image? There's always Expander--which is a very nice, and free, product--when you have to extract SIT files.

  • Heh, buffer overflow in Windows's ZIP handling too (Score:4, Funny)

    by Dahan ( 130247 ) <khym@azeotrope.org> on Thursday October 03, 2002 @12:47AM (#4378926)
    Microsoft copying Apple yet again...

    Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q329048) [microsoft.com]:

    Two vulnerabilities exist in the Compressed Folders function:

    • An unchecked buffer exists in the programs that handles the decompressing of files from a zipped file. A security vulnerability results because attempts to open a file with a specially malformed filename contained in a zipped file could possibly result in Windows Explorer failing, or in code of the attacker's choice being run.
    • The decompression function could place a file in a directory that was not the same as, or a child of, the target directory specified by the user as where the decompressed zip files should be placed. This could allow an attacker to put a file in a known location on the users system, such as placing a program in a startup directory

  • Stuffit Exploits (Score:4, Interesting)

    by 0x0d0a ( 568518 ) on Thursday October 03, 2002 @12:58AM (#4378951) Journal
    I've always had sort of a dim view of StuffIt.

    On the one hand, Stuffit has a really incredibly amazingly good interface. You can navigate through a Stuffit archive like the Finder -- it's hierarchical, supports file operations, etc. WinZip, on the other hand, has a truly amazingly awful interface. Whoever decided that it would be a really cool idea to represent files in a flat interface and then throw a big fat toolbar in (I *hate* toolbars...awful UI element) above them should be whacked.

    Anyway, the down side of Stuffit is that it is THE Mac file compression format. Compact Pro has unfortunately fallen by the wayside, and even that contender was, amazingly enough, propriatary. Why the hell can't anyone slap together tar + gzip + macbinary for the MacOS with a GUI (or something a smidgen more complicated, fair enough), so that Mac users aren't beholden to the whims of a single company? If Aladdin wanted to, they could charge $200 for their product. Not for long, but it's disgusting that they have no competition.

    Stuffit's had a long history of being exploitable. Hand it corrupted resources and try to open the file...it crashes. Create an archive containing tens of thousands of locked invisible files at the root of the archive (actually, I think Stuffit clears the lock bit, though invis is still valid), and watch what happens when a poor user drops the archive on Stuffit Expander.
    • Don't forget MacOS X has tar and gzip/gunzip available from the command line - OK there's no GUI but it's not that hard. It would be pretty trivial to knock up a GUI anyway - just don't go charging $20 for half an hours work like some OS X chancers do...
      • There used to be GUI version of tar and gzip for Mac. They may have been called MacTar and Macgzip for an obvious reason :) But they didn't have quite Mac like interface. Should be easier these days with Inteface Builder and command line suites.

        Going a little off topic, I'm having hard time stopping StuffIt Expander to expand *.tar.gz archives. I'd rather like to do that by hand from command line. But whatever I may try (using inspector panel, from the IE preferences), when I download a tar.gz file, Expander will automatically expand tar.gz to gz to folder. This is pretty annoying. Does anyone know how to stop this?
        • Expander will automatically expand tar.gz to gz to folder. This is pretty annoying. Does anyone know how to stop this?
          Try turning off "Continue to expand..." and while it might still go from .tar.gz to .tar, it won't continue to make the folder. StuffIt 6.5 used to allow you to deselect .gz files, but that has been lost in StuffIt Expander 7, unfortunately.
      • IIRC tar/gz/bzip2 doesn't retain resource forks for classic style files. so for some people that could be a problem. it would still be a good project though.

    • Re:Stuffit Exploits (Score:2, Informative)

      by foyle ( 467523 )
      A good alternative to StuffIt for decompressing various Unix archives on OS X is Scott Anguish's most excellent "OpenUp": http://softrak.stepwise.com/display?pkg=790&os =20

      Stone Design's "PackUpAndGo" is also an excellent product: http://www.stone.com/PackUpAndGo/PackUpAndGo.html
    • Why the hell can't anyone slap together tar + gzip + macbinary for the MacOS with a GUI (or something a smidgen more complicated, fair enough), so that Mac users aren't beholden to the whims of a single company?
      Why not just disk images (.dmg files) created by Apple Disk Copy? It's provided with MacOS X, and you can even AES-encrypt your images. You'll still be beholden to the whims of a single company (Apple), but that's unavoidable for Mac users.
      • Thats a good partial solution, but it'd be kind of nice to have an open compression format.

        For major file formats, it just seems safer to have competing products and a spec out so that more people can make new products. Stuffit is just about the only major-major-major file format on any current platform I know of that's completely closed. Just about every user on the platform runs into Stuffit files, and there's only one commercial product from one company that can create them.

        Heck, what if Aladdin started putting adware into Stuffit Expander, or Apple did? They already have "partners" with Sherlock and with default bookmarks...

  • Non-registration download for Stuffit Expander (Score:5, Informative)

    by foo12 ( 585116 ) on Thursday October 03, 2002 @02:08AM (#4379089)
    Going through Aladdin's web site requires you to fill out a short (marketing) form before downloading Expander. Fortunately, Aladdin also has anonymous ftp access

    ftp://ftp.aladdinsys.com/
  • Can anyone explain this or give a good link? I've read about them from a news point of view, but I'm interested in how a buffer underun allows someone to execute arbitrary code.
    • First off, the term is buffer overflow, a buffer underrun happens during burning a CD. They work by writing data past the end of an array (usually a string buffer) literally overflowing the buffer. By writing the right data into the right places, you can replace code that was going to be executed with your own code.
  • I don't believe them, they just want us to update to 7.0 so they can put us adds about there great piece of shit. OS X makes it so fun to use tar and bzip2!
  • Kind of convenient that they announce a flaw in an old product soon after the release of a chargeable upgrade
  • Okay, besides the pointlessness of bothering, you can only get Stuffit Expander now as part of Stuffit Standard Edition.

    You can't get Expander as a separate download.

    Aladdin is making up the known trojans claim, there aren't any besides, anything like that would have to be downloaded first to begin with.

    Me? I just use gzip unless someone insists on posting something in .sit format as gzip compression is actually better anyway.

    There is also a GuI app called OpenUp that is open source but, can't open .sit files.

Slashdot Top Deals

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Close