[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1053098: unadf 0.7.11a-5 calls system() with unsanitized input

Package: unadf
Version: 0.7.11a-5
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

Dear Maintainer,

See upstream ADFLib commit 8e973d7b8945 ("Fix unsafe extraction by using
mkdir() instead of shell command") [1].

'unadf' passes the directory names within an ADF to system()
unsanitized. In the most benign failure case, directory names beginning
with '-' are interpreted as options to mkdir, and unpacking the ADF
fails.

Please update unadf to fixed upstream version.

[1] https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-12-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages unadf depends on:
ii  libc6  2.36-9+deb12u1

unadf recommends no packages.

unadf suggests no packages.

-- no debconf information
Reply to: