[Japanese]

JVNDB-2011-000048

ALZip vulnerable to buffer overflow

Overview

ALZip provided by ESTsoft Japan Corp. contains a buffer overflow vulnerability.

ALZip is a file compression/extraction software from ESTsoft Japan Corp. ALZip contains a buffer overflow vulnerability due to improper handling of mim files.

Takahiko Funakubo of Fourteenforty Research Institute, Inc reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


ESTsoft Corp.
  • ALZip v8.21 and earlier

According to the developer, copies of version 8.21 that were downloaded prior to June 29, 2011 are affected by this issue.
Impact

When opening a specially crafted file, arbitrary code may be executed.
Solution

[Re-install the software]
Download ALZip 8.21 after June 29, 2011 12:00 (JST) from the developer's website, and then re-install it.

According to the developer, "Automatic updates will not be provided since the version number did not change".
In the fixed version, the Readme file contains a statement, "A fix for a issue when unpacking a specific file type"
Vendor Information

ESTsoft Corp.
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-1336
References

  1. JVN : JVN#01547302
  2. National Vulnerability Database (NVD) : CVE-2011-1336
  3. IPA SECURITY ALERTS : Security Alert for Vulnerability in ALZip
Revision History

[2011/06/29]
  Web page published