A local overflow exists in SpeedCommander, Squeez, and ZipStar. The products fail to safely use the "lstrcat()" function in the "CxZIP60.dll", "CxZIP60u.dll", "CxUux60.dll", "CxUux60u.dll" modules while processing filename pathnames resulting in a stack-based overflow. With a specially crafted archive, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

SpeedCommander 10:
Upgrade to version 10.52 (Build 4450) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

SpeedCommander 11:
Upgrade to version 11.01 (Build 4450) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Squeez 5.0:
Upgrade to version 5.10 (Build 4460) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

ZipStar 5.0:
Upgrade to version 5.10 (Build 4460) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1015265 1015266 1015267
• Secunia Advisory ID: 17420
• CVE ID: 2005-3831 (see also: NVD) 2005-3832 (see also: NVD)
• VUPEN Advisory: ADV-2005-2570
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0831.html
• Other Advisory URL: http://secunia.com/secunia_research/2005-60/advisory/
• Vendor URL: http://www.speedproject.de/

• Tan Chew Keong - vulnsecunia.com - Secunia Research