HCL
Skip to main content  
 
   


SPRTechnote


IBM Lotus Notes File Viewer Overflow Vulnerability (dunzip32.dll)

Technote Number: 1229932


Problem:
This issue was reported to IBM Lotus Quality Engineering as SPR# KSPR67MNMU and
addressed in Notes 6.5.5 and Notes 7.0.

Refer to the Upgrade Central site for details on upgrading Notes/Domino to
these releases.

Workaround if 6.5.5 DLL is available:
The buffer overflow vulnerability affects the dunzip32.dll file. This dll file
has been updated in the fixed releases. If you cannot immediately upgrade the
Notes client in your environment, then it is possible to correct the issue by
copying the revised version of the dunzip32.dll file from a 6.5.5 release over
the version found in earlier 6.x releases.

Workaround if 6.5.5 is not available:
To work around this issue in previous releases of Notes, the affected file
viewer can be disabled by either commenting out the relative dll's in the
keyview.ini file found in the program directory or by deleting the files from
the program directory.
There are three options for disabling this viewer:
1. Delete the keyview.ini file in the Notes program directory. This disables
ALL viewers. When a user clicks View (for any file), a dialog box will be
displayed with the message "Unable to locate the viewer configuration file."

2. Delete the problem file (dunzip32.dll). When a user tries to view the
specific file type (zip archives), a dialog box will be displayed with the
message "The viewer display window could not be initialized." All other file
types work without returning the error message.

3. Comment out specific lines in keyview.ini for any references to the problem
file (dll). To comment a line, you precede it with a semi-colon (;). When a
user tries to view the specific file type (zip archives), a dialog box will be
displayed with the message "The viewer display window could not be initialized."

For example:
[KVARCVE]
; 132=ziprdr.dll

Additional background:
In general, users are strongly urged to use caution when opening or viewing
unsolicited file attachments.

The attachment(s) will not auto-execute upon opening or previewing the email
message; the file attachment must be opened by the user using the affected file
viewer (from the menu bar, select "Attachment", then select "View").

Note:
This affects the Notes client on Microsoft Windows operating systems only. The
Domino server is not affected by this issue. More >




  Document options
Print this document
Print view

  Search
Search Advanced Search


  Fix list views

 RSS feeds   RSS
Subscribe to the fix list

  Resources
Using this database
View notices

  HCL Support
HCL Support


    About HCL      Privacy      Contact