Bug 81958

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2005-02-14 03:15:58 UTC

CVE ids assigned:

CAN-2005-0160 for the buffer overflows.
CAN-2005-0161 for the directory traversal problem.

Comment 2 Thierry Carrez (RETIRED) 2005-02-15 11:14:40 UTC

There is no metadata.xml so we probably should patch it ourselves. Is 1.2b the only affected version ?

Comment 3 solar (RETIRED) 2005-02-15 11:37:49 UTC

There are exactly two unace ebuilds in portage. 1.2b (last free version with 
source code) and the 2.2 thats a binary only with no source code 
(no idea if it's vuln or not) needs to be tested with demo file.

I do not know why we favor the 2.x binary only package to be stable over the 
last source code version. But seeing as we have an opensource solution in the 
tree I'm willing to patch it non the less.
unace was first added to gentoo on Oct 28 2002 from bug #9818

s390 can run static ET_EXEC files built on x86?

Comment 4 SpanKY 2005-02-19 14:55:57 UTC

well, if debian has done auditing, does that mean they've developed a patch too ?  

Comment 5 solar (RETIRED) 2005-02-19 18:33:54 UTC

Created attachment 51628 [details]
unace-info.zip

Sorry. Here is his "attached a ZIP archive containing some test archives
and a patch."

Comment 6 Luke Macken (RETIRED) 2005-02-23 05:12:13 UTC

This issue is now public.

Comment 7 Luke Macken (RETIRED) 2005-02-23 05:12:22 UTC

*** Bug 83057 has been marked as a duplicate of this bug. ***

Comment 8 Matthias Geerdsen (RETIRED) 2005-02-23 13:01:01 UTC

any comments on the patch?

if it's sufficient, we should probably apply it

couldn't find a bug/patch from debian et al. yet

Comment 9 solar (RETIRED) 2005-02-26 06:06:09 UTC

Ok so here is what I know.
With the patched unace all the the tests are fine. 
With the non opensource 2.2 /opt/bin/unace l bufoflow1.ace it attempts to exec a null ptr.

options (t l v) with 2.2

PAX: execution attempt in: <NULL>, 00000000-00000000 00000000
PAX: terminating task: /opt/bin/unace(unace):24855, uid/euid: 2600/2600, PC: 55555555, SP: 5eec8214
PAX: bytes at PC: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /opt/bin/unace[unace:24855] uid/euid:2600/2600 gid/egid:2600/2600, parent /bin/bash[bash:15504] uid/euid:2600/2600 gid/egid:2600/2600

unace-1.2b-r1.ebuild in the tree and marked stable for x86.
2.2 remains. Should I p.mask 2.2? I vote for yes. Or even removal of it.

Comment 10 Matthias Geerdsen (RETIRED) 2005-02-27 06:45:26 UTC

Looks like this is ready for GLSA then I guess.

solar: I agree, we should mask 2.2 if it is still not 100% fixed, besides that there doesn't seem to be a maintainter anyways.

In case of masking 2.2, maybe the GLSA should then mention it.

Comment 11 solar (RETIRED) 2005-02-27 08:16:52 UTC

Arch leads. Please read over this and vote on removal/masking of the binary only 
2.2 

ARCH s390 
I have no idea why you have a x86-32 bit binary marked stable on a 31bit arch Can you really do that?

The 1.2b is OpenSource

Comment 12 solar (RETIRED) 2005-02-28 07:38:35 UTC

From amd64.

  28 Feb 2005; Alex Howells <astinus@gentoo.org> unace-1.2b-r1.ebuild:
  Tested and marked stable on AMD64, reference bug 81958

s390 you no longer have any unace.

Removed 1.2b and 2.2 from the tree. Only thing remains is the patched 1.2b

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) 2005-02-28 08:47:36 UTC

Thx everyone.

GLSA 200502-32

s390 please remember to mark stable.

Comment 14 Jakub Moc (RETIRED) 2007-01-31 00:41:08 UTC

*unace-2.5 (30 Jan 2007)

  30 Jan 2007; Mike Frysinger <vapier@gentoo.org> +unace-2.5.ebuild:
  Version bump #102347 by Dick Marinus et al.

This is *still* vulnerable at least according to Secunia (http://secunia.com/advisories/14359), behaves horribly on the attached test archives (segfaults on bufoflow1.ace, reports broken header on dirtraversal[12].ace) and generally no clue why is it in the tree again.

Reopen; someone please verify.

Comment 15 Matt Drew (RETIRED) 2007-04-03 16:35:15 UTC

/opt/bin/unace v bufoflow1.ace 

UNACE v2.5     Copyright by ACE Compression Software       Jun 18 2003 22:25:55
                                                                          
Warning: Authenticity verification of archive is broken.
 Archive too old or created with non-original program!
Warning: This is not a fully ACE compatible archive.
 Trying to decompress might fail.
processing archive /home/aetius/bufoflow1.ace                             
Warning: Authenticity verification of archive is broken.
 Archive too old or created with non-original program!
Warning: This is not a fully ACE compatible archive.
 Trying to decompress might fail.
Warning: Authenticity verification of archive is broken.
 Archive too old or created with non-original program!
Warning: This is not a fully ACE compatible archive.
 Trying to decompress might fail.
created on 0.0.1980 with ver 1.0 by                                       
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU                        Segmentation fault

********************

warning: shared library handler failed to enable breakpoint
Failed to read a valid object file image from memory.
Core was generated by `/opt/bin/unace v bufoflow1.ace'.
Program terminated with signal 11, Segmentation fault.
#0  0x55555555 in ?? ()
(gdb) info registers
eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0xbf97c094       -1080573804
esp            0xbf97b2a0       0xbf97b2a0
ebp            0x55555555       0x55555555
esi            0xbf97c084       -1080573820
edi            0x3      3
eip            0x55555555       0x55555555
eflags         0x10282  [ SF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0



Verified - EIP is clearly overwritten (along with EBP). Since it's binary and doesn't appear to permit modification, there's nothing we can do with it except mask it and remove it from the tree.

Comment 16 Matt Drew (RETIRED) 2007-04-03 16:57:59 UTC

forgot to cc maintainer. :\

Comment 17 SpanKY 2007-04-04 02:43:34 UTC

there's really nothing we can do about the 2.x series except mask it ... it's a binary-only release

Comment 18 Raphael Marichez (Falco) (RETIRED) 2007-06-07 21:50:56 UTC

Vapier are you OK to p.mask unace-2.5? it doesn't seem to break anything (rox-extra/archive needs app-arch/unace but there is still unace-1 available).

Comment 19 SpanKY 2007-06-08 00:53:39 UTC

i dont know ... unace-1.x cannot handle the new ace archives out there, only unace-2.x can

in other words, i'd package mask the whole thing before forcing users to downgrade to a useless version

Comment 20 Robert Buchholz (RETIRED) 2008-01-04 22:03:31 UTC

CVE-2007-6563 probably affets this:
  Heap-based buffer overflow in WinAce 2.65 and earlier, and possibly
  other versions before 2.69, allows user-assisted remote attackers to
  execute arbitrary code via a long filename in a compressed UUE archive.

Comment 21 Robert Buchholz (RETIRED) 2008-03-22 03:11:32 UTC

There's a new security issue in 2.5, the debian changelog lists a patch:

   * debian/patches/11-possibly-critical.dpatch:
     + Fixes a possible security issue by initialising a local variable.


Please note bug 214216 which might help resolve our situation.

Comment 22 SpanKY 2008-03-29 20:52:36 UTC

unace-2.5-r1 is in the tree with the Debian patchset ... but unace-2.5 was never in stable, so there really wasnt anything there for security to review

are there any pending issues for unace-1.2b-r1 ?  if not, lets close this bug

Comment 23 Pierre-Yves Rofes (RETIRED) 2009-03-29 18:51:25 UTC

mmh, I'm not sure what we should do here. I tested unace-2.5-r1 with the .zip attached, no segfault or anything. We could fix the xml to add 2.5-r1 as unaffected, but before that we would need to stable it... security, any opinions?

Comment 24 Andrew Savchenko 2009-11-26 12:33:27 UTC

It is rather annoying to have bogus GLSA. As far as I understand 2.5-r1 is not affected by this bug, please fix xml.

I've got app-arch/unace-2.5-r2 installed and "glsa-check --test all" still reports GLSA-200502-32 on my system.
If unace-2.5-r1 was unaffected already (as suggested by comment #24), the glsa should be fixed accordingly.
It doesn't sound very normal that a bug reported in 2005 should still be unfixed in 2013...

Comment 26 SpanKY 2013-03-28 03:10:25 UTC

should stabilize unace-2.5-r3

Comment 27 Sergey Popov (RETIRED) 2013-03-28 06:55:33 UTC

arm stable

Comment 28 Sergey Popov (RETIRED) 2013-03-28 07:18:43 UTC

amd64 stable

Comment 29 Joe Jezak (RETIRED) 2013-03-28 13:33:30 UTC

Marked ppc/ppc64 stable.

Comment 30 Jeroen Roovers (RETIRED) 2013-03-28 15:39:18 UTC

Arch teams, please test and mark stable:
=app-arch/unace-2.5-r3
Stable KEYWORDS : alpha amd64 arm hppa ppc ppc64 s390 x86

Comment 31 Jeroen Roovers (RETIRED) 2013-03-28 16:08:06 UTC

Stable for HPPA.

Comment 32 Jeff (JD) Horelick (RETIRED) 2013-03-31 15:45:11 UTC

x86 stable

Comment 33 Agostino Sarubbo 2013-04-01 19:51:44 UTC

alpha stable

Comment 34 Agostino Sarubbo 2013-04-02 13:22:46 UTC

s390 stable

Comment 35 Chris Reffett (RETIRED) 2013-10-05 01:29:58 UTC

@maintainers: punt affected, timeout 30 days.

Comment 36 Sergey Popov (RETIRED) 2013-11-25 18:00:30 UTC

Maintainer timeout, cleanup

+  25 Nov 2013; Sergey Popov <pinkbyte@gentoo.org> -unace-1.2b-r1.ebuild,
+  -unace-1.2b-r2.ebuild, -files/unace-1.2b-64bit.patch,
+  -files/unace-1.2b-64bit-fmt.patch,
+  -files/unace-1.2b-CAN-2005-0160-CAN-2005-0161.patch,
+  -files/unace-1.2b-aliasing.patch, -unace-2.5.ebuild, -unace-2.5-r1.ebuild,
+  -unace-2.5-r2.ebuild, -files/unace-2.5-endianness-detection.patch:
+  Security cleanup, wrt bug #81958

Comment 37 GLSAMaker/CVETool Bot 2014-05-19 01:13:16 UTC

This issue was resolved and addressed in
 GLSA 200502-32 at http://security.gentoo.org/glsa/glsa-200502-32.xml
by GLSA coordinator Sean Amoss (ackle).