Package: unace
Version: 1.2b-11
Usertags: afl
unace crashes when trying to test integrity of the attached file:
$ unace t crash
UNACE v1.2 public version
Segmentation fault
gdb says it's an integer overflow, followed by buffer overflow:
(gdb) bt
#0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:116
#1 0x0000000000401558 in read_header (print_err=0) at unace.c:171
#2 0x00000000004017b7 in read_arc_head () at unace.c:222
#3 0x0000000000401943 in open_archive (print_err=1) at unace.c:254
#4 0x000000000040258f in main (argc=3, argv=0x7fffffffe6d8) at unace.c:604
(gdb) up
#1 0x0000000000401558 in read_header (print_err=0) at unace.c:171
171 memcpy(mhead.AV, tp, rd-(USHORT)(tp-readbuf));
(gdb) print rd-(USHORT)(tp-readbuf)
$1 = -27
This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages unace depends on:
ii libc6 2.19-13
--
Jakub Wilk
Marked as found in versions unace/1.2b-10.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 09 Jan 2015 22:09:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Guillem Jover <guillem@debian.org>: Bug#775003; Package unace.
(Tue, 24 Feb 2015 05:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Guillem Jover <guillem@debian.org>.
(Tue, 24 Feb 2015 05:33:05 GMT) (full text, mbox, link).
Control: retitle -1 unace: CVE-2015-2063: buffer overflow
Hi,
On Fri, Jan 09, 2015 at 10:59:54PM +0100, Jakub Wilk wrote:
> Package: unace
> Version: 1.2b-11
> Usertags: afl
>
> unace crashes when trying to test integrity of the attached file:
>
> $ unace t crash
> UNACE v1.2 public version
> Segmentation fault
>
>
> gdb says it's an integer overflow, followed by buffer overflow:
CVE-2015-2063 has been assigned for this issue.
Regards,
Salvatore
Changed Bug title to 'unace: CVE-2015-2063: buffer overflow' from 'unace: buffer overflow'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 775003-submit@bugs.debian.org.
(Tue, 24 Feb 2015 05:33:05 GMT) (full text, mbox, link).
Reply sent
to Guillem Jover <guillem@debian.org>:
You have taken responsibility.
(Tue, 24 Feb 2015 11:21:09 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Tue, 24 Feb 2015 11:21:09 GMT) (full text, mbox, link).
Source: unace
Source-Version: 1.2b-12
We believe that the bug you reported is fixed in the latest version of
unace, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775003@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated unace package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 24 Feb 2015 10:47:45 +0100
Source: unace
Binary: unace
Architecture: source
Version: 1.2b-12
Distribution: unstable
Urgency: high
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
unace - extract, test and view .ace archives
Closes: 775003
Changes:
unace (1.2b-12) unstable; urgency=high
.
* Fix buffer overflow when reading ace files with file headers smaller
than expected. Fixes CVE-2015-2063. (Closes: #775003)
Checksums-Sha1:
7ce5606eb4b3d618605f7c233a01ce423418ad88 1734 unace_1.2b-12.dsc
c13e08ae17fcff28ce65051b8e048501aca3d4f8 7972 unace_1.2b-12.debian.tar.xz
Checksums-Sha256:
a2313fe1d5d37e4e3c44305c64194fee23e5f24602277bad4dd9cc61986160ae 1734 unace_1.2b-12.dsc
dc662bfccd1a056ae95d4a9f9f74aff9d815efe9981a621b95900db38ef3749b 7972 unace_1.2b-12.debian.tar.xz
Files:
160267e4534cdb5f717f236b09be3339 1734 utils optional unace_1.2b-12.dsc
f4f1c590183cf37d083d6159b2e520c9 7972 utils optional unace_1.2b-12.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJU7FoKAAoJELlyvz6krlej75AQAOPNh1KmDGaVlbBybtywdeTM
YS5eiOiWNHQTL1wddP8rmyu5uvlUk/s++69HpK1LyzL2tWNeWc1xwVXRrbnhFWsZ
mYeaxXhnTxoOPwkCcxBeh9LU7/JJSknVJgWVXjGPIk8On/UV6uCGJDLxhvVP020N
xH0tNWBYldqrNMTrRiJbDO7qNZ8wdbGnFN7Q2GCCAOoUvKUiQAr8fmzZbmLWiB5g
UgKGvFXzVTIJ/gEbhJyB+ZsMJb/2e9NCINO9hqjufhfX2RUQ+ZWxTYXJVoVcR+Fn
tDFSe3545c/fjKZ5FtyMLLTtWVuzD0HmvDj2j35rnuG/fI0R/Y6qq3RLG4fk1F6Q
cmjb5pE9w9b+a2/fLL5vsiawrEEw2qIEdkY/z0g5u8gfw+IYvOX+SgxudBhpttwE
HXurOM932IgOZG2MPs+G7XYhCidOZpbbYFlOAMl7j53cCOvN3V4EuXnxHNaommwg
xacMlEVghKmx7sWP61IOhuRGsfQOZQBM074xfuRvddqlSK9wxypYNYulPZnxxbK1
dhvyPZBuSSf7Zmvhm5JOSGw6NHID8Pihsed+JFSD2kXhMLk/tlecdo6etN340oBA
+sh4CN0MY66xt0Bv6zigT8864hshSIJt67LvRBhltw8KrQmAREeA6DVd0qIpIPr8
5Fp38EVGEUVb2QRZdf6X
=mneD
-----END PGP SIGNATURE-----
Message sent on
to Jakub Wilk <jwilk@debian.org>:
Bug#775003.
(Tue, 24 Feb 2015 11:45:09 GMT) (full text, mbox, link).
Control: tag 775003 pending
Hi!
Bug #775003 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.hadrons.org/?p=debian/pkgs/unace.git;a=commitdiff;h=319446f
---
commit 319446fe677a0d1c2a13f5fa13a6a4e7c533efac
Author: Guillem Jover <guillem@debian.org>
Date: Tue Feb 24 10:41:03 2015 +0100
Fix buffer overflow when reading file headers smaller than expected
The header parser was not checking if it had read the needed data when
parsing the header from memory.
Fixes: CVE-2015-2063
Closes: #775003
diff --git a/debian/changelog b/debian/changelog
index 3f0c0da..ef6a920 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+unace (1.2b-12) UNRELEASED; urgency=low
+
+ * Fix buffer overflow when reading ace files with file headers smaller
+ than expected. Fixes CVE-2015-2063. (Closes: #775003)
+
+ -- Guillem Jover <guillem@debian.org> Tue, 24 Feb 2015 10:38:41 +0100
+
unace (1.2b-11) unstable; urgency=medium
* Now using Standards-Version 3.9.5 (no changes needed).
Added tag(s) pending.
Request was from Guillem Jover <guillem@debian.org>
to 775003-submitter@bugs.debian.org.
(Tue, 24 Feb 2015 11:45:09 GMT) (full text, mbox, link).
Marked as found in versions unace/1.2b-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Mar 2015 20:42:04 GMT) (full text, mbox, link).
Reply sent
to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility.
(Tue, 03 Mar 2015 18:51:12 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Tue, 03 Mar 2015 18:51:12 GMT) (full text, mbox, link).
Source: unace
Source-Version: 1.2b-7+deb6u1
We believe that the bug you reported is fixed in the latest version of
unace, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775003@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated unace package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Mar 2015 19:03:02 +0100
Source: unace
Binary: unace
Architecture: source i386
Version: 1.2b-7+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
unace - extract, test and view .ace archives
Closes: 775003
Changes:
unace (1.2b-7+deb6u1) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Squeeze LTS Team.
* Add 006_security-afl.patch patch.
CVE-2015-2063: Buffer overflow when reading bogus file headers
The header parser was not checking if it had read the needed data when
parsing the header from memory. (Closes: #775003)
* Add 005_format-security.patch
Fix format-security build failures.
Checksums-Sha1:
4330f42549a4f02835d47be52f84a88014570b8f 1833 unace_1.2b-7+deb6u1.dsc
54781d630644a68bb3d9338fa6a018b2d4553efb 27561 unace_1.2b.orig.tar.gz
36759633e7d3a6a4cd2f4bfed2740c9d550c6e0a 7816 unace_1.2b-7+deb6u1.diff.gz
3f7f723e5509142236079c7f075b11f7f16da4f3 16852 unace_1.2b-7+deb6u1_i386.deb
Checksums-Sha256:
1a09b9cbaf52efbe5b32ff6cc2bb0de2bbecc2655901e89ab69e6c6abd1b21e5 1833 unace_1.2b-7+deb6u1.dsc
a5f3b7d0994b2c6aa3b95ac1196ee18605d8dbd0660f978f8d64b8583fb55490 27561 unace_1.2b.orig.tar.gz
52210a697190574ada3b2b8011db38f8202c60374c0075af437f7b763c003b3f 7816 unace_1.2b-7+deb6u1.diff.gz
f14986a765754dd0120d1540f2e182a51d5c97feccc9ae3b553768c93198f63f 16852 unace_1.2b-7+deb6u1_i386.deb
Files:
311fa77ef6dd29bbc44280b049578869 1833 utils optional unace_1.2b-7+deb6u1.dsc
51360df61997db28787b60ea7321d83f 27561 utils optional unace_1.2b.orig.tar.gz
78a2ac6f851826ad37c1898443938ec8 7816 utils optional unace_1.2b-7+deb6u1.diff.gz
3821c9e136bd129e0ee162153869266f 16852 utils optional unace_1.2b-7+deb6u1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJU9gCKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHiTkP/3NxcagLX/EBdEQLJ08/bn6f
hFiOO/60nTN2HIyRcoXpombfp4MdL0BWsC3NsByYhgBLRRkbt+JkFubV83CJInTO
t0IBbFJB5FRvc5oXzPi9PsHRYGtXKkFhSjh8GJC/tb+dHRfVgzHhQb85gNzSsbyW
4qAwTUzeqBYfGLZYYw5YiaWfWhRATpkya71nzZndRYA1nTVRBQDJLTMNP1yOWQSz
+D5GbJ+Op5o59gizVKn/wk2CaTqWcwIpj05KIBC2YE4pymUwOcc2bjBZidvDyfpK
47rXWF9eK5kStUEgrffPVvdB5I4Fx0OI5IAxIPhQ+mO0SCvikyGR4nneIno5JVaI
jjNI1K3I0lgWfGKTOrv7z/QuMjV7BNn2D6kt4IYyAOC7zz1y5UfFExdHzewZYHnc
MiaID+BJRC9c7NEzofGQR5GgVV9lgKqzuk8eKbti38G9jBhczRNk7hBi2w3Wb/MY
CDxdmh/tI+jERtpsLnGDf5uNdahbfsfnnovGN6gomF0FCAYVEWpNq/dbUoJ7z5y1
TZswA+cwrWAl5f5ZFbip8WKOS771IS+rMRznhYoQYhxrX/5r6rC0mBm1ZqBs86FS
9G0flZvgUScS4MQjvsJigwBkPmoR3s8LzsYBDA013C4+1AFGCjrJy7nS5coWA1YG
s/I9DUPpMaM2cxTl/Cph
=YRLg
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 06 Mar 2015 19:21:10 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Fri, 06 Mar 2015 19:21:10 GMT) (full text, mbox, link).
Subject: Bug#775003: fixed in unace 1.2b-10+deb7u1
Date: Fri, 06 Mar 2015 19:17:05 +0000
Source: unace
Source-Version: 1.2b-10+deb7u1
We believe that the bug you reported is fixed in the latest version of
unace, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775003@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated unace package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 24 Feb 2015 17:41:44 +0100
Source: unace
Binary: unace
Architecture: source amd64
Version: 1.2b-10+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
unace - extract, test and view .ace archives
Closes: 775003
Changes:
unace (1.2b-10+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add 006_security-afl.patch patch.
CVE-2015-2063: Buffer overflow when reading bogus file headers
The header parser was not checking if it had read the needed data when
parsing the header from memory. (Closes: #775003)
Checksums-Sha1:
d4a28e1fe16469e29b97e14ea00c8183876dc43d 1757 unace_1.2b-10+deb7u1.dsc
54781d630644a68bb3d9338fa6a018b2d4553efb 27561 unace_1.2b.orig.tar.gz
348674d9c549751e31a45da8b802d825d72a2b5c 8551 unace_1.2b-10+deb7u1.debian.tar.gz
61828dedb70b0a814a2f8d19e9266346348427ec 19954 unace_1.2b-10+deb7u1_amd64.deb
Checksums-Sha256:
591b0604111b5e71d4671b9bd88001d17406f1140c59e045460cf8c5538bc2b4 1757 unace_1.2b-10+deb7u1.dsc
a5f3b7d0994b2c6aa3b95ac1196ee18605d8dbd0660f978f8d64b8583fb55490 27561 unace_1.2b.orig.tar.gz
f01ee6db9fcbd8889070967bc5ab8fd3d527e8d1ae7c39668d643d43ceed1de9 8551 unace_1.2b-10+deb7u1.debian.tar.gz
31984f0b9bf2da8dbba0e45d04baa0256e113a0c2918b1345b330942fd3128d9 19954 unace_1.2b-10+deb7u1_amd64.deb
Files:
436546b94338df370478557d8c8483d9 1757 utils optional unace_1.2b-10+deb7u1.dsc
51360df61997db28787b60ea7321d83f 27561 utils optional unace_1.2b.orig.tar.gz
cb39b954491b0b84915f52a0688f9fcf 8551 utils optional unace_1.2b-10+deb7u1.debian.tar.gz
386bd063199f1d5ec907c47babfc5768 19954 utils optional unace_1.2b-10+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJU7KqyAAoJEAVMuPMTQ89EsEEP/j/VUe1wDPSG8qPsgaf0bYfN
HQ8aIzOktuNzQgYGW3GWTzsfU3fgxraJODjAVZHeD6yizJxh/4x0k1SbxqeVJJKt
lMnk7Tf3/TYOdMFtlj6Nps8LQ1Lb908eltlYnNd955PSxjiLDLFLTyfQX88syJn+
9wz+hcQnGZ/c6HFErxeH4HUyapg/l+Vi28kpa7S89aWQsOTLd+clZ2NQmv0bsXjf
VrlLInhkEp4h22S1cl9OJcwD5H+6StJbUVos3jg3YsZZrBnxUQaww1DG2R/FYKh8
7d1NN0BxWQvjCHgfXAYrPgCeiIpvUhOj/Sb/kJIkI5cDUqA+1nri/dpYuGDEKmI6
51gle/jjQjsQagsJIVPK2IivsLHYror1u1jxpM6CFndukauhrHCem/0Yx7IqICRw
Q7JsYBbWWi1wplOcdRRBNN+//Ny/gZdmcM1m5a0BBwF0jkbLzh5d71GH8N9xx9vW
YgkXFAwnUBPAvty19nvuiu+J8ZVOvZ4bJ58nQJXUZNOZXA5YwZ3NIQljXsvWln9a
nIMonIr4zdqeVLKSXuoUJGenYKG7dL4+g8dL2TgL+F1jBX1Qj3NtWPhFKH27/CjJ
SNVCmd57UKi9nswupTM8B/QD/d1Vy85EYdCvXModgdXWMKIxbTVCkVsFPH+tpXFW
IDUDDv/5692cTwJ1dUNB
=tsx5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 04 Apr 2015 07:25:09 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.