Bug#838248: unadf: CVE-2016-1243 and CVE-2016-1244
Source: unadf
Version: 0.7.11a-3
Severity: important
Tags: security patch
Hi,
Tuomas Räsänen discovered the following vulnerabilities for unadf.
CVE-2016-1243[0]: stack buffer overflow caused by blindly trusting on pathname
lengths of archived files.
CVE-2016-1244[1]: execution of unsanitized input
The patch is available here:
http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-1243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1243
[1] https://security-tracker.debian.org/tracker/CVE-2016-1244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1244
Reply to: