CVE request: BusyBox unpack_Z_stream() buffer underflow

[Alex Legler <a3li () gentoo org>]

Hi,

Secunia [1] reported a fix in BusyBox for a flaw similar to CVE-2006-1168:

"The vulnerability is caused due to a boundary error within the 
"unpack_Z_stream()" function (archival/libarchive/decompress_uncompress.c) and 
can be exploited to cause a buffer underflow via a specially crafted 
datastream."

Patch is available at [2], our bug is [3].

Please assign a CVE.

Thanks,
Alex

[1] http://secunia.com/advisories/45702/
[2] 
http://git.busybox.net/busybox/diff/archival/libarchive/decompress_uncompress.c?id=251fc70e9722f931eec23a34030d05ba5f747b0e
[3] https://bugs.gentoo.org/show_bug.cgi?id=379857

-- 
Alex Legler <a3li () gentoo org>
Gentoo Security / Ruby

Attachment: signature.asc
Description: This is a digitally signed message part.