Debian Security Advisory

DLA-631-1 unadf -- LTS security update

Date Reported:
21 Sep 2016
Affected Packages:
unadf
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2016-1243, CVE-2016-1244.
More information:

It was discovered that there were two vulnerabilities in unadf, a tool to extract files from an Amiga Disk File dump (.adf):

  • CVE-2016-1243

    stack buffer overflow caused by blindly trusting on pathname lengths of archived files.

    Stack allocated buffer sysbuf was filled with sprintf() without any bounds checking in extracTree() function.

  • CVE-2016-1244

    execution of unsanitized input

    Shell command used for creating directory paths was constructed by concatenating names of archived files to the end of the command string.

For Debian 7 Wheezy, this issue has been fixed in unadf version 0.7.11a-3+deb7u1.

We recommend that you upgrade your unadf packages.