Petite compression – not only problem of Sophos?

Petite Plugin vulnerability in Sophos anti virus products was released recently.

This Sophos Knowledge Base article Advisory: Vulnerabilities reported by iDefense (ID #7609) was originally released on Friday 27th October and assigned to security advisories by several security companies on Monday. In fact, there are four separate vulnerabilities affecting to almost all Sophos AV products:

* Petite Plugin Sector Handling Vulnerability
* RAR File Denial of Service Vulnerability
* CHM File Heap Overflow Vulnerability and
* CHM Name Length Memory Consumption Vulnerability

Related to Petite issue Sophos Anti-Virus for Windows 6.0.4 and earlier, 5.2.6 and earlier, Linux version 5.0.9 and earlier, OS X version 4.8.4 and earlier and FreeBSD/Solaris etc. 4.10 and earlier are affected. Fixed versions are listed at support article mentioned.

And what is the reason of this flaw? Sophos states the following:

A handcrafted Petite archive containing a large number of large sectors can cause a Denial of Service in the virus engine.

Several malware, e.g. Netsky.D worm have been packed with this executable compressor tool of Un4seen Developments.

It is interesting to see is this flaw due to Sophos’s own implementation of Petite or are they using an old, vulnerable version of Petite? No technical details are available yet.

The latest Petite version is v2.3 (27th Feb, 2005).

These vulnerabilities were reportedly researched by VeriSign iDefense (or maybe their Labs guys).

Update: New information via this advisory states that this issue was reported by Damian Put.