Bug#1053098: unadf 0.7.11a-5 calls system() with unsanitized input
Package: unadf
Version: 0.7.11a-5
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Dear Maintainer,
See upstream ADFLib commit 8e973d7b8945 ("Fix unsafe extraction by using
mkdir() instead of shell command") [1].
'unadf' passes the directory names within an ADF to system()
unsanitized. In the most benign failure case, directory names beginning
with '-' are interpreted as options to mkdir, and unpacking the ADF
fails.
Please update unadf to fixed upstream version.
[1] https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd
-- System Information:
Debian Release: 12.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-12-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unadf depends on:
ii libc6 2.36-9+deb12u1
unadf recommends no packages.
unadf suggests no packages.
-- no debconf information
Reply to: