Symantec is aware of this posting. Symantec engineers are reviewing the issue. If it is validated we will respond accordingly. According to HexView's advisory, Symantec was notified 2004-11-03 and did not respond prior to HexView's posting. However, HexView's initial notification to Symantec was received late afternoon on 2004-11-03 and Symantec's initial response acknowledgement and offer of coordination in reviewing and reporting if found to be valid went back to HexView the following morning, 2004-11-04, well within the 24 hour window that is published in their stated disclosure policy. No further communications of any nature have been received from HexView concerning this issue. Symantec takes the security of our products seriously and is a responsible disclosure organization. We would like to work directly with anyone who believes they have found a security issue in a Symantec product to validate the problem and coordinate a response. Please contact secure@xxxxxxxxxxxx concerning security issues with Symantec products. Symantec Product Security secure@xxxxxxxxxxxx ----------------------------------------- vuln@xxxxxxxxxxx To bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx cc Subject [HV-LOW] Symantec LiveUpdate issues may cause DoS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec LiveUpdate issues may cause DoS Classification: =============== Level: [LOW]-med-high-crit ID: HEXVIEW*2004*11*04*1 URL: http://www.hexview.com/docs/20041104-1.txt Overview: ========= Symantec LiveUpdate is an application designed to provide timely updates for Symantec products. LiveUpdate downloads zip-archived packages, decompresses them, verifies signatures, and finally installs the updates. HexView discovered two problems with LiveUpdate: decompression routine does not check for uncompressed file sizes and no validation is performed on directory names. ----------------------snip------------------------------------------- Vendor Status: ============== Symantec was notified on 2004-11-03. No response received. About HexView: ============== HexView contributes to online security-related lists for almost a decade. The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms, network applications, and embedded devices. The chances are you read our advisories or disclosures. For more information visit http://www.hexview.com ----------------------snip----------------------------- HexView Disclosure Policy: ========================== HexView notifies vendors that have publicly available contact e-mail 24 hours before disclosing any information to the public. If we are unable to find vendor's e-mail address or if no reply is received within 24 hours, HexView will publish vulnerability notification including all technical details unless the issue is rated as "critical". If vendor does not reply within 72 hours, HexView may disclose all details for critical vulnerabilities as well. If vendor replies within the above mentioned time period, HexView will announce the vulnerability, but will not disclose the details required to reproduce it. HexView will also specify the date when full disclosure containing all the details will be published. The time period between announcement and full disclosure is 30 days unless there is an agreement with vendor and appropriate justification for extension. If vendor resolves the issue earlier than 30 days after announcement, HexView will publish full disclosure as soon as the fix is available to the public.
