First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 81958
Alias:
Product:
Component:
Status: ASSIGNED
Resolution:
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
unace-info.zip unace-info.zip application/octet-stream solar 2005-02-19 18:33 0000 2.60 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 81958 depends on: 214216 Show dependency tree
Bug 81958 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-02-13 22:11 0000 
// Ulf Harnhammar for the Debian Security Audit Project reports to Vendor-Sec:

I have found multiple security vulnerabilities in unace-1.2b
(the last free version).

There are buffer overflows when extracting, testing or
listing specially prepared ACE archives.

There are directory traversal bugs when extracting ACE
archives.

There are also buffer overflows when dealing with long (>17000
characters) command line arguments.

I have attached a ZIP archive containing some test archives
and a patch.

I hope that we can coordinate our respective releases of unace.

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-02-14 03:15:58 0000 ------- 
CVE ids assigned:

CAN-2005-0160 for the buffer overflows.
CAN-2005-0161 for the directory traversal problem.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-02-15 11:14:40 0000 ------- 
There is no metadata.xml so we probably should patch it ourselves. Is 1.2b the
only affected version ?

------- Comment #3 From solar 2005-02-15 11:37:49 0000 ------- 
There are exactly two unace ebuilds in portage. 1.2b (last free version with 
source code) and the 2.2 thats a binary only with no source code 
(no idea if it's vuln or not) needs to be tested with demo file.

I do not know why we favor the 2.x binary only package to be stable over the 
last source code version. But seeing as we have an opensource solution in the 
tree I'm willing to patch it non the less.
unace was first added to gentoo on Oct 28 2002 from bug #9818

s390 can run static ET_EXEC files built on x86?

------- Comment #4 From SpanKY 2005-02-19 14:55:57 0000 ------- 
well, if debian has done auditing, does that mean they've developed a patch too
?

------- Comment #5 From solar 2005-02-19 18:33:54 0000 ------- 
Created an attachment (id=51628) [details]
unace-info.zip

Sorry. Here is his "attached a ZIP archive containing some test archives
and a patch."

------- Comment #6 From Luke Macken (RETIRED) 2005-02-23 05:12:13 0000 ------- 
This issue is now public.

------- Comment #7 From Luke Macken (RETIRED) 2005-02-23 05:12:22 0000 ------- 
*** Bug 83057 has been marked as a duplicate of this bug. ***

------- Comment #8 From Matthias Geerdsen 2005-02-23 13:01:01 0000 ------- 
any comments on the patch?

if it's sufficient, we should probably apply it

couldn't find a bug/patch from debian et al. yet

------- Comment #9 From solar 2005-02-26 06:06:09 0000 ------- 
Ok so here is what I know.
With the patched unace all the the tests are fine. 
With the non opensource 2.2 /opt/bin/unace l bufoflow1.ace it attempts to exec a null ptr.

options (t l v) with 2.2

PAX: execution attempt in: <NULL>, 00000000-00000000 00000000
PAX: terminating task: /opt/bin/unace(unace):24855, uid/euid: 2600/2600, PC: 55555555, SP: 5eec8214
PAX: bytes at PC: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /opt/bin/unace[unace:24855] uid/euid:2600/2600 gid/egid:2600/2600, parent /bin/bash[bash:15504] uid/euid:2600/2600 gid/egid:2600/2600

unace-1.2b-r1.ebuild in the tree and marked stable for x86.
2.2 remains. Should I p.mask 2.2? I vote for yes. Or even removal of it.

------- Comment #10 From Matthias Geerdsen 2005-02-27 06:45:26 0000 ------- 
Looks like this is ready for GLSA then I guess.

solar: I agree, we should mask 2.2 if it is still not 100% fixed, besides that there doesn't seem to be a maintainter anyways.

In case of masking 2.2, maybe the GLSA should then mention it.

------- Comment #11 From solar 2005-02-27 08:16:52 0000 ------- 
Arch leads. Please read over this and vote on removal/masking of the binary
only 
2.2 

ARCH s390 
I have no idea why you have a x86-32 bit binary marked stable on a 31bit arch
Can you really do that?

The 1.2b is OpenSource

------- Comment #12 From solar 2005-02-28 07:38:35 0000 ------- 
From amd64.

  28 Feb 2005; Alex Howells <astinus@gentoo.org> unace-1.2b-r1.ebuild:
  Tested and marked stable on AMD64, reference bug 81958

s390 you no longer have any unace.

Removed 1.2b and 2.2 from the tree. Only thing remains is the patched 1.2b

------- Comment #13 From Sune Kloppenborg Jeppesen 2005-02-28 08:47:36 0000 ------- 
Thx everyone.

GLSA 200502-32

s390 please remember to mark stable.

------- Comment #14 From Jakub Moc (RETIRED) 2007-01-31 00:41:08 0000 ------- 
*unace-2.5 (30 Jan 2007)

  30 Jan 2007; Mike Frysinger <vapier@gentoo.org> +unace-2.5.ebuild:
  Version bump #102347 by Dick Marinus et al.

This is *still* vulnerable at least according to Secunia
(http://secunia.com/advisories/14359), behaves horribly on the attached test
archives (segfaults on bufoflow1.ace, reports broken header on
dirtraversal[12].ace) and generally no clue why is it in the tree again.

Reopen; someone please verify.

------- Comment #15 From Matt Drew 2007-04-03 16:35:15 0000 ------- 
/opt/bin/unace v bufoflow1.ace 

UNACE v2.5     Copyright by ACE Compression Software       Jun 18 2003 22:25:55

Warning: Authenticity verification of archive is broken.
 Archive too old or created with non-original program!
Warning: This is not a fully ACE compatible archive.
 Trying to decompress might fail.
processing archive /home/aetius/bufoflow1.ace                             
Warning: Authenticity verification of archive is broken.
 Archive too old or created with non-original program!
Warning: This is not a fully ACE compatible archive.
 Trying to decompress might fail.
Warning: Authenticity verification of archive is broken.
 Archive too old or created with non-original program!
Warning: This is not a fully ACE compatible archive.
 Trying to decompress might fail.
created on 0.0.1980 with ver 1.0 by                                       
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU                       
Segmentation fault

********************

warning: shared library handler failed to enable breakpoint
Failed to read a valid object file image from memory.
Core was generated by `/opt/bin/unace v bufoflow1.ace'.
Program terminated with signal 11, Segmentation fault.
#0  0x55555555 in ?? ()
(gdb) info registers
eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0xbf97c094       -1080573804
esp            0xbf97b2a0       0xbf97b2a0
ebp            0x55555555       0x55555555
esi            0xbf97c084       -1080573820
edi            0x3      3
eip            0x55555555       0x55555555
eflags         0x10282  [ SF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0



Verified - EIP is clearly overwritten (along with EBP). Since it's binary and
doesn't appear to permit modification, there's nothing we can do with it except
mask it and remove it from the tree.

------- Comment #16 From Matt Drew 2007-04-03 16:57:59 0000 ------- 
forgot to cc maintainer. :\

------- Comment #17 From SpanKY 2007-04-04 02:43:34 0000 ------- 
there's really nothing we can do about the 2.x series except mask it ... it's a
binary-only release

------- Comment #18 From Raphael Marichez 2007-06-07 21:50:56 0000 ------- 
Vapier are you OK to p.mask unace-2.5? it doesn't seem to break anything
(rox-extra/archive needs app-arch/unace but there is still unace-1 available).

------- Comment #19 From SpanKY 2007-06-08 00:53:39 0000 ------- 
i dont know ... unace-1.x cannot handle the new ace archives out there, only
unace-2.x can

in other words, i'd package mask the whole thing before forcing users to
downgrade to a useless version

------- Comment #20 From Robert Buchholz 2008-01-04 22:03:31 0000 ------- 
CVE-2007-6563 probably affets this:
  Heap-based buffer overflow in WinAce 2.65 and earlier, and possibly
  other versions before 2.69, allows user-assisted remote attackers to
  execute arbitrary code via a long filename in a compressed UUE archive.

------- Comment #21 From Robert Buchholz 2008-03-22 03:11:32 0000 ------- 
There's a new security issue in 2.5, the debian changelog lists a patch:

   * debian/patches/11-possibly-critical.dpatch:
     + Fixes a possible security issue by initialising a local variable.


Please note bug 214216 which might help resolve our situation.

------- Comment #22 From SpanKY 2008-03-29 20:52:36 0000 ------- 
unace-2.5-r1 is in the tree with the Debian patchset ... but unace-2.5 was
never in stable, so there really wasnt anything there for security to review

are there any pending issues for unace-1.2b-r1 ?  if not, lets close this bug

------- Comment #23 From Pierre-Yves Rofes 2009-03-29 18:51:25 0000 ------- 
mmh, I'm not sure what we should do here. I tested unace-2.5-r1 with the .zip
attached, no segfault or anything. We could fix the xml to add 2.5-r1 as
unaffected, but before that we would need to stable it... security, any
opinions?

------- Comment #24 From Andrew Savchenko 2009-11-26 12:33:27 0000 ------- 
It is rather annoying to have bogus GLSA. As far as I understand 2.5-r1 is not
affected by this bug, please fix xml.
First Last Prev Next    No search results available      Search page      Enter new bug