Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-631-1 unadf

Debian Security Advisory

DLA-631-1 unadf -- LTS security update

Date Reported:

21 Sep 2016

Affected Packages:

unadf

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-1243, CVE-2016-1244.

More information:

It was discovered that there were two vulnerabilities in unadf, a tool to extract files from an Amiga Disk File dump (.adf):

• CVE-2016-1243

  stack buffer overflow caused by blindly trusting on pathname lengths of archived files.

  Stack allocated buffer sysbuf was filled with sprintf() without any bounds checking in extracTree() function.

• CVE-2016-1244

  execution of unsanitized input

  Shell command used for creating directory paths was constructed by concatenating names of archived files to the end of the command string.

For Debian 7 Wheezy, this issue has been fixed in unadf version 0.7.11a-3+deb7u1.

We recommend that you upgrade your unadf packages.