Debian Bug report logs - #340842
unalz: buffer overflow when extracting archives

version graph

Package: unalz; Maintainer for unalz is Changwoo Ryu <cwryu@debian.org>; Source for unalz is src:unalz.

Reported by: metaur@telia.com

Date: Sat, 26 Nov 2005 10:48:02 UTC

Severity: grave

Tags: patch, security

Found in versions unalz/0.52-1, unalz/0.30

Fixed in versions unalz/0.30.1, 0.55-1

Done: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Yooseong Yang <yooseong@debian.org>:
Bug#340842; Package unalz. Full text and rfc822 format available.

Acknowledgement sent to metaur@telia.com:
New Bug report received and forwarded. Copy sent to Yooseong Yang <yooseong@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ulf Harnhammar <metaur@telia.com>
To: submit@bugs.debian.org
Subject: unalz: buffer overflow when extracting archives
Date: Sat, 26 Nov 2005 11:38:07 +0100
[Message part 1 (text/plain, inline)]
Subject: unalz: buffer overflow when extracting archives
Package: unalz
Version: 0.52-1
Severity: grave
Justification: user security hole
Tags: security patch sarge etch sid

Hello,

I have found a buffer overflow security vulnerability in unalz. It
occurs when it extracts malicious ALZ archives.

I have attached the archives oflow333.alz (for sarge) and oflow1621.alz
(for testing and unstable), as well as the program alzgen.pl that
generated them and a patch that corrects this issue.

It is also possible to upgrade to the latest upstream version 0.53,
which also corrects it.

// Ulf Härnhammar, Debian Security Audit Project

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages unalz depends on:
ii  libc6                         2.3.5-8    GNU C Library: Shared libraries an
ii  libgcc1                       1:4.0.2-2  GCC support library
ii  libstdc++6                    4.0.2-2    The GNU Standard C++ Library v3

unalz recommends no packages.

-- no debconf information

[oflow333.alz (application/octet-stream, attachment)]
[oflow1621.alz (application/octet-stream, attachment)]
[alzgen.pl (text/x-perl, attachment)]
[unalz.oflow.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Yooseong Yang <yooseong@debian.org>:
Bug#340842; Package unalz. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Yooseong Yang <yooseong@debian.org>. Full text and rfc822 format available.

Message #10 received at 340842@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 340842@bugs.debian.org
Cc: metaur@telia.com
Subject: CVE assignment for unalz
Date: Wed, 30 Nov 2005 10:20:52 +0100
Hi,
this has been assigned CVE-2005-3862, please mention it in the changelog
when fixing it.

Cheers,
        Moritz



Bug marked as found in version 0.30. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: etch, sarge, sid Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to metaur@telia.com:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 340842-done@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 340842-done@bugs.debian.org
Subject: Re: unalz: buffer overflow when extracting archives
Date: Wed, 15 Mar 2006 00:37:19 -0800
[Message part 1 (text/plain, inline)]
Version: 0.30.1

This bug was fixed in a security upload to stable; marking as closed in that
version.

The changelog entry for this upload was:

 unalz (0.30.1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team
   * Fix buffer overflow in file name handling, discovered by Ulf Härnhammar
     (CVE-2005-3862)

The bug appears to still apply to the version of the package in unstable,
and is marked as such.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Yooseong Yang <yooseong@debian.org>:
Bug#340842; Package unalz. Full text and rfc822 format available.

Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Yooseong Yang <yooseong@debian.org>. Full text and rfc822 format available.

Message #24 received at 340842@bugs.debian.org (full text, mbox):

From: "Ulf Harnhammar" <metaur@operamail.com>
To: 340842@bugs.debian.org
Cc: vorlon@debian.org
Subject: Re: Bug#340842 acknowledged by developer (Re: unalz: buffer overflow when extracting archives)
Date: Wed, 15 Mar 2006 10:56:29 +0100
> This bug was fixed in a security upload to stable; marking as closed in that
> version.
> 
> The bug appears to still apply to the version of the package in unstable,
> and is marked as such.

The bug looks closed to me.

// Ulf



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze



Bug reopened, originator not changed. Request was from "Ulf Harnhammar" <metaur@operamail.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 0.30.1, send any further explanations to metaur@telia.com Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Yooseong Yang <yooseong@debian.org>:
Bug#340842; Package unalz. Full text and rfc822 format available.

Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Yooseong Yang <yooseong@debian.org>. Full text and rfc822 format available.

Message #33 received at 340842@bugs.debian.org (full text, mbox):

From: "Ulf Harnhammar" <metaur@operamail.com>
To: "Ulf Harnhammar" <metaur@operamail.com>, 340842@bugs.debian.org
Cc: vorlon@debian.org
Subject: Re: Bug#340842 acknowledged by developer (Re: unalz: buffer overflow when extracting archives)
Date: Thu, 16 Mar 2006 18:44:49 +0100
> > The bug appears to still apply to the version of the package in unstable,
> > and is marked as such.
> 
> The bug looks closed to me.

It still looks closed (in all versions) to me. Are you sure that that is what you want, instead of - say - fixing it?

// Ulf



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze



Information forwarded to debian-bugs-dist@lists.debian.org, Yooseong Yang <yooseong@debian.org>:
Bug#340842; Package unalz. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Yooseong Yang <yooseong@debian.org>. Full text and rfc822 format available.

Message #38 received at 340842@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Ulf Harnhammar <metaur@operamail.com>
Cc: 340842@bugs.debian.org
Subject: Re: Bug#340842 acknowledged by developer (Re: unalz: buffer overflow when extracting archives)
Date: Thu, 16 Mar 2006 10:35:33 -0800
On Thu, Mar 16, 2006 at 06:44:49PM +0100, Ulf Harnhammar wrote:
> > > The bug appears to still apply to the version of the package in unstable,
> > > and is marked as such.
> > 
> > The bug looks closed to me.

> It still looks closed (in all versions) to me. Are you sure that that is
> what you want, instead of - say - fixing it?

http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=unalz&dist=unstable

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Reply sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to metaur@telia.com:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #43 received at 340842-done@bugs.debian.org (full text, mbox):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: Steve Langasek <vorlon@debian.org>
Cc: Ulf Harnhammar <metaur@operamail.com>, 340842-done@bugs.debian.org
Subject: Re: Bug#340842 acknowledged by developer (Re: unalz: buffer overflow when extracting archives)
Date: Sat, 17 Jun 2006 11:43:39 +0200
Version: 0.55-1

On Thu, Mar 16, 2006 at 10:35:33AM -0800, Steve Langasek wrote:
>> It still looks closed (in all versions) to me. Are you sure that that is
>> what you want, instead of - say - fixing it?
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=unalz&dist=unstable

This was fixed in a QA upload a while ago (0.55-1), since upstream 0.53 fixed
it; the changelog missed it, though. I've verified that the code does indeed
contain the patch given in the patch log, so I'm marking it as closed.

/* Steinar */
-- 
Homepage: http://www.sesse.net/



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 09:09:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:41:45 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.