Re: [HV-LOW] Symantec LiveUpdate issues may cause DoS
Symantec is aware of this posting. Symantec engineers are reviewing the issue.
If it is validated we will respond accordingly.
According to HexView's advisory, Symantec was notified 2004-11-03 and did not
respond prior to HexView's posting.
However, HexView's initial notification to Symantec was received late afternoon
on 2004-11-03 and Symantec's initial response acknowledgement and offer of
coordination in reviewing and reporting if found to be valid went back to
HexView the following morning, 2004-11-04, well within the 24 hour window that
is published in their stated disclosure policy. No further communications of
any nature have been received from HexView concerning this issue.
Symantec takes the security of our products seriously and is a responsible
disclosure organization. We would like to work directly with anyone who
believes they have found a security issue in a Symantec product to validate the
problem and coordinate a response.
Please contact secure@xxxxxxxxxxxx concerning security issues with Symantec
products.
Symantec Product Security
secure@xxxxxxxxxxxx
-----------------------------------------
vuln@xxxxxxxxxxx
To
bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
cc
Subject
[HV-LOW] Symantec LiveUpdate issues may cause DoS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec LiveUpdate issues may cause DoS
Classification:
===============
Level: [LOW]-med-high-crit
ID: HEXVIEW*2004*11*04*1
URL: http://www.hexview.com/docs/20041104-1.txt
Overview:
=========
Symantec LiveUpdate is an application designed to provide timely updates for
Symantec products. LiveUpdate downloads zip-archived packages, decompresses
them, verifies signatures, and finally installs the updates. HexView discovered
two problems
with LiveUpdate: decompression routine does not check for uncompressed file
sizes and no validation is performed on directory names.
----------------------snip-------------------------------------------
Vendor Status:
==============
Symantec was notified on 2004-11-03. No response received.
About HexView:
==============
HexView contributes to online security-related lists for almost a decade. The
scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms,
network applications, and embedded devices. The chances are you read our
advisories or disclosures. For more information visit
http://www.hexview.com
----------------------snip-----------------------------
HexView Disclosure Policy:
==========================
HexView notifies vendors that have publicly available contact e-mail 24 hours
before disclosing any information to the public. If we are unable to find
vendor's e-mail address or if no reply is received within 24 hours, HexView
will publish vulnerability notification including all technical details unless
the issue is rated as "critical". If vendor does not reply within 72 hours,
HexView may disclose all details for
critical vulnerabilities as well.
If vendor replies within the above mentioned time period, HexView will announce
the vulnerability, but will not disclose the details required to reproduce it.
HexView will also specify the date when full disclosure
containing all the details will be published. The time period between
announcement and full disclosure is 30 days unless there is an agreement with
vendor and appropriate justification for extension. If vendor
resolves the issue earlier than 30 days after announcement, HexView will
publish full disclosure as soon as the fix is available to the public.