[SECURITY] [DLA 631-1] unadf security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 631-1] unadf security update
From: Chris Lamb <lamby@debian.org>
Date: Wed, 21 Sep 2016 03:38:56 +0100
Message-id: <[🔎] 1474425536.2876738.732127497.7A10B753@webmail.messagingengine.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : unadf
Version        : 0.7.11a-3+deb7u1
CVE IDs        : CVE-2016-1243 CVE-2016-1244
Debian Bug     : #838248

It was discovered that there were two vulnerabilities in unadf, a tool to
extract files from an Amiga Disk File dump (.adf):

- - CVE-2016-1243: stack buffer overflow caused by blindly trusting on
  pathname lengths of archived files.

  Stack allocated buffer sysbuf was filled with sprintf() without any
  bounds checking in extracTree() function.

- - CVE-2016-1244: execution of unsanitized input

  Shell command used for creating directory paths was constructed by
  concatenating names of archived files to the end of the command
  string.

For Debian 7 "Wheezy", this issue has been fixed in unadf version
0.7.11a-3+deb7u1.

We recommend that you upgrade your unadf packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJX4fKRAAoJEB6VPifUMR5YNCcP/R+x87r+CX25vJC1LNRvdLqX
PtIxbHI1Xrxzso9Dg3tMRdwILmn2aBHVYIwDJAr6wBocGJtHgzAGJAczYvd4U6qg
lIQ4HmOwydhTzQL8lWR/WoL3IKLMCOJxtmMorU+JLRS/WYTXsCwn6CORWarUHfoC
U/xbwpovuNTZVAUINY/QMnecOwoz7LvN++IyitkPHSpnFXMubm3DrSjMTP23W4U/
WyZG0vsVVyCvRmIY5MG53VtEdxCMVKF8rdU2jNoJN2tkIXIgyPCIwLJOmfP0tQRP
VsE88ojJXyTnEX997zXuJgjn4/9WqrEbxBn5LBRK95bhMwCUqH6OslR6F35kwR9U
3SJsmMZButHc0oLuse+UIEsW3X72OVAWomDX8X4w0LinNSclGpJiFcdJTypX3gpz
E8PZtrkWlPe0SRZ5hl7gYF2Bpyn9AA2EV0tm0YAZVkCROzeaG7i2qlBECkAqHjO5
YiOFwp2CrnhTxOB1epoyD4I6EIw0OIFwyFkKulO2LX8cgNVXtK9T2fSKdGCTWPQX
LqizEbaL3RZRwqa/5b+M4aMk14NmIRuRAo8eGMtloqD/YX+g1T0DT0+4YdfNXDa/
uqGMQ7iVedo5nvp/Uv0T1Vof5WedpKz1OD3rEWMF5B+6qEIamLwMMsevmafy1wsJ
7LC4RAZEB3Zmzux/3sr5
=Cygr
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 630-1] zookeeper security update
Next by Date: [SECURITY] [DLA 632-1] wireshark security update
Previous by thread: [SECURITY] [DLA 630-1] zookeeper security update
Next by thread: [SECURITY] [DLA 632-1] wireshark security update
Index(es):
- Date
- Thread