Comment 2 for bug 1643750

Tyler Hicks (tyhicks) wrote :

Hi Alexis - Thanks for the bug report.

I can verify the issue that you have reported. After some research, I've determined it is very similar to but different than an older unzip -l crasher reported on oss-security:

  http://www.openwall.com/lists/oss-security/2014/11/03/5

Your PoC also happens to trigger that issue in unzip -l but they crash in different areas of the unzip codebase.

Since there are a number of similar unzip issues that never received CVEs or fixes from around 11-2014, I plan to make this issue public and forward the report to the oss-security list early Monday (I'd prefer to avoid reporting an issue at the end of the day on a Friday).

I'd like to credit you for the issue. Would you mind sharing your first and last name so that I can include it in my email report? Thanks again!