<<< Date Index >>>     <<< Thread Index >>>

Re: [HV-LOW] Symantec LiveUpdate issues may cause DoS




Symantec is aware of this posting. Symantec engineers are reviewing the issue.  
If it is validated we will respond accordingly.  

According to HexView's advisory, Symantec was notified 2004-11-03 and did not 
respond prior to HexView's posting.  
However, HexView's initial notification to Symantec was received late afternoon 
on 2004-11-03 and Symantec's initial response acknowledgement and offer of 
coordination in reviewing and reporting if found to be valid went back to 
HexView the following morning, 2004-11-04, well within the 24 hour window that 
is published in their stated disclosure policy.  No further communications of 
any nature have been received from HexView concerning this issue.

Symantec takes the security of our products seriously and is a responsible 
disclosure organization.  We would like to work directly with anyone who 
believes they have found a security issue in a Symantec product to validate the 
problem and coordinate a response.  

Please contact secure@xxxxxxxxxxxx concerning security issues with Symantec 
products.

Symantec Product Security
secure@xxxxxxxxxxxx
-----------------------------------------

vuln@xxxxxxxxxxx 

To
bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
cc

Subject
[HV-LOW] Symantec LiveUpdate issues may cause DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Symantec LiveUpdate issues may cause DoS

Classification:
===============
Level: [LOW]-med-high-crit
ID: HEXVIEW*2004*11*04*1
URL: http://www.hexview.com/docs/20041104-1.txt

Overview:
=========
Symantec LiveUpdate is an application designed to provide timely updates for 
Symantec products. LiveUpdate downloads zip-archived packages, decompresses 
them, verifies signatures, and finally installs the updates. HexView discovered 
two problems
with LiveUpdate: decompression routine does not check for uncompressed file 
sizes and no validation is performed on directory names.

----------------------snip-------------------------------------------
Vendor Status:
==============
Symantec was notified on 2004-11-03. No response received.

About HexView:
==============
HexView contributes to online security-related lists for almost a decade. The 
scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms, 
network applications, and embedded devices. The chances are you read our 
advisories or disclosures. For more information visit
http://www.hexview.com

----------------------snip-----------------------------
HexView Disclosure Policy:
==========================
HexView notifies vendors that have publicly available contact e-mail 24 hours 
before disclosing any information to the public. If we are unable to find 
vendor's e-mail address or if no reply is received within 24 hours, HexView 
will publish vulnerability notification including all technical details unless 
the issue is rated as "critical". If vendor does not reply within 72 hours, 
HexView may disclose all details for
critical vulnerabilities as well.

If vendor replies within the above mentioned time period, HexView will announce 
the vulnerability, but will not disclose the details required to reproduce it. 
HexView will also specify the date when full disclosure
containing all the details will be published. The time period between 
announcement and full disclosure is 30 days unless there is an agreement with 
vendor and appropriate justification for extension. If vendor
resolves the issue earlier than 30 days after  announcement, HexView will 
publish full disclosure as soon as the fix is available to the public.