[Mimedefang] [esd-l] NOTICE: ZIP archived filename length checks in Sanitizer (fwd)

Kenneth Porter shiva at sewingwitch.com
Mon Sep 11 01:54:34 EDT 2006

I believe the patch described here is trapping archives containing files 
with names more than 250 characters long.

------------ Forwarded Message ------------
Date: Saturday, September 09, 2006 9:19 PM -0700
From: "John D. Hardin" <jhardin at impsec.org>
To: esa-l at impsec.org
Cc: Procmail Users List <procmail at Lists.RWTH-Aachen.DE>, esd-l at impsec.org
Subject: [esd-l] NOTICE: ZIP archived filename length checks in Sanitizer


A BO vulnerability has been announced in the DUNZIP32.dll zipfile
library used by many commercial programs, including Lotus Notes and
Real Audio player.

In an attempt to mitigate this vulnerability, archived filename length
checks have been added to the development version of the Procmail
Email Sanitizer, and a patch to add these checks to recent stable
releases is also available.

The patch is available at:


The development version of the sanitizer is available at:


The sanitizer home page is:


 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  It is not the business of government to make men virtuous or
  religious, or to preserve the fool from the consequences of his own
  folly.                                              -- Henry George
 8 days until The 219th anniversary of the signing of the U.S. Constitution

esd-l mailing list
esd-l at impsec.org

---------- End Forwarded Message ----------

More information about the MIMEDefang mailing list