mailing list archives
Vulnerable and completely outdated 3rd party ZIP code in FastStone image viewer
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Mon, 16 May 2011 17:56:30 +0200
The FastStone image viewer <http://www.faststone.org/> (and most
probably other FastStone products too) contains a 3rd party
ZipDll.dll 18.104.22.168 dated 2001-10-28.
This DLL was originally written by Chris Vleghert and Eric W. Engler,
based on InfoZIPs <http://infozip.org> code from 2000.
It is but vulnerable and completely outdated: the current version of
the successor <http://dll.delphizip.org/> is 1.90, the oldest version
(22.214.171.124) listed there is from July 2005, almost 4 years newer than
the DLL distributed with the Faststone image viewer.
According to <http://infozip.org/FAQ.html#corruption> all versions of
ZIP prior to 2.31 (November 2004) and UnZIP prior to 5.52
(February/March 2005) are vulnerable.
Vendor was informed via <http://www.faststone.org/contactUs.htm>,
but did not respond at all!
PS: Tools like Secunia's PSI don't detect such outdated and
vulnerable DLLs/components, so: user beware!
- Vulnerable and completely outdated 3rd party ZIP code in FastStone image viewer Stefan Kanthak (May 16)