Debian Security Advisory
DLA-631-1 unadf -- LTS security update
- Date Reported:
- 21 Sep 2016
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-1243, CVE-2016-1244.
- More information:
It was discovered that there were two vulnerabilities in unadf, a tool to extract files from an Amiga Disk File dump (.adf):
stack buffer overflow caused by blindly trusting on pathname lengths of archived files.
Stack allocated buffer sysbuf was filled with sprintf() without any bounds checking in extracTree() function.
execution of unsanitized input
Shell command used for creating directory paths was constructed by concatenating names of archived files to the end of the command string.
For Debian 7
Wheezy, this issue has been fixed in unadf version 0.7.11a-3+deb7u1.
We recommend that you upgrade your unadf packages.