|Summary:||<app-arch/unace-2.5-r3 : buffer overflows and directory traversal|
|Product:||Gentoo Security||Reporter:||Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||andreas.thalhammer, base-system, bircoph, formula7|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||214216|
Description Sune Kloppenborg Jeppesen (RETIRED) 2005-02-13 22:11:52 UTC
// Ulf Harnhammar for the Debian Security Audit Project reports to Vendor-Sec: I have found multiple security vulnerabilities in unace-1.2b (the last free version). There are buffer overflows when extracting, testing or listing specially prepared ACE archives. There are directory traversal bugs when extracting ACE archives. There are also buffer overflows when dealing with long (>17000 characters) command line arguments. I have attached a ZIP archive containing some test archives and a patch. I hope that we can coordinate our respective releases of unace.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2005-02-14 03:15:58 UTC
CVE ids assigned: CAN-2005-0160 for the buffer overflows. CAN-2005-0161 for the directory traversal problem.
Comment 2 Thierry Carrez (RETIRED) 2005-02-15 11:14:40 UTC
There is no metadata.xml so we probably should patch it ourselves. Is 1.2b the only affected version ?
Comment 3 solar (RETIRED) 2005-02-15 11:37:49 UTC
There are exactly two unace ebuilds in portage. 1.2b (last free version with source code) and the 2.2 thats a binary only with no source code (no idea if it's vuln or not) needs to be tested with demo file. I do not know why we favor the 2.x binary only package to be stable over the last source code version. But seeing as we have an opensource solution in the tree I'm willing to patch it non the less. unace was first added to gentoo on Oct 28 2002 from bug #9818 s390 can run static ET_EXEC files built on x86?
Comment 4 SpanKY 2005-02-19 14:55:57 UTC
well, if debian has done auditing, does that mean they've developed a patch too ?
Comment 5 solar (RETIRED) 2005-02-19 18:33:54 UTC
Created attachment 51628 [details] unace-info.zip Sorry. Here is his "attached a ZIP archive containing some test archives and a patch."
Comment 6 Luke Macken (RETIRED) 2005-02-23 05:12:13 UTC
This issue is now public.
Comment 7 Luke Macken (RETIRED) 2005-02-23 05:12:22 UTC
*** Bug 83057 has been marked as a duplicate of this bug. ***
Comment 8 Matthias Geerdsen (RETIRED) 2005-02-23 13:01:01 UTC
any comments on the patch? if it's sufficient, we should probably apply it couldn't find a bug/patch from debian et al. yet
Comment 9 solar (RETIRED) 2005-02-26 06:06:09 UTC
Ok so here is what I know. With the patched unace all the the tests are fine. With the non opensource 2.2 /opt/bin/unace l bufoflow1.ace it attempts to exec a null ptr. options (t l v) with 2.2 PAX: execution attempt in: <NULL>, 00000000-00000000 00000000 PAX: terminating task: /opt/bin/unace(unace):24855, uid/euid: 2600/2600, PC: 55555555, SP: 5eec8214 PAX: bytes at PC: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /opt/bin/unace[unace:24855] uid/euid:2600/2600 gid/egid:2600/2600, parent /bin/bash[bash:15504] uid/euid:2600/2600 gid/egid:2600/2600 unace-1.2b-r1.ebuild in the tree and marked stable for x86. 2.2 remains. Should I p.mask 2.2? I vote for yes. Or even removal of it.
Comment 10 Matthias Geerdsen (RETIRED) 2005-02-27 06:45:26 UTC
Looks like this is ready for GLSA then I guess. solar: I agree, we should mask 2.2 if it is still not 100% fixed, besides that there doesn't seem to be a maintainter anyways. In case of masking 2.2, maybe the GLSA should then mention it.
Comment 11 solar (RETIRED) 2005-02-27 08:16:52 UTC
Arch leads. Please read over this and vote on removal/masking of the binary only 2.2 ARCH s390 I have no idea why you have a x86-32 bit binary marked stable on a 31bit arch Can you really do that? The 1.2b is OpenSource
Comment 12 solar (RETIRED) 2005-02-28 07:38:35 UTC
From amd64. 28 Feb 2005; Alex Howells <email@example.com> unace-1.2b-r1.ebuild: Tested and marked stable on AMD64, reference bug 81958 s390 you no longer have any unace. Removed 1.2b and 2.2 from the tree. Only thing remains is the patched 1.2b
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) 2005-02-28 08:47:36 UTC
Thx everyone. GLSA 200502-32 s390 please remember to mark stable.
Comment 14 Jakub Moc (RETIRED) 2007-01-31 00:41:08 UTC
*unace-2.5 (30 Jan 2007) 30 Jan 2007; Mike Frysinger <firstname.lastname@example.org> +unace-2.5.ebuild: Version bump #102347 by Dick Marinus et al. This is *still* vulnerable at least according to Secunia (http://secunia.com/advisories/14359), behaves horribly on the attached test archives (segfaults on bufoflow1.ace, reports broken header on dirtraversal.ace) and generally no clue why is it in the tree again. Reopen; someone please verify.
Comment 15 Matt Drew (RETIRED) 2007-04-03 16:35:15 UTC
/opt/bin/unace v bufoflow1.ace UNACE v2.5 Copyright by ACE Compression Software Jun 18 2003 22:25:55 Warning: Authenticity verification of archive is broken. Archive too old or created with non-original program! Warning: This is not a fully ACE compatible archive. Trying to decompress might fail. processing archive /home/aetius/bufoflow1.ace Warning: Authenticity verification of archive is broken. Archive too old or created with non-original program! Warning: This is not a fully ACE compatible archive. Trying to decompress might fail. Warning: Authenticity verification of archive is broken. Archive too old or created with non-original program! Warning: This is not a fully ACE compatible archive. Trying to decompress might fail. created on 0.0.1980 with ver 1.0 by UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU Segmentation fault ******************** warning: shared library handler failed to enable breakpoint Failed to read a valid object file image from memory. Core was generated by `/opt/bin/unace v bufoflow1.ace'. Program terminated with signal 11, Segmentation fault. #0 0x55555555 in ?? () (gdb) info registers eax 0x0 0 ecx 0x0 0 edx 0x0 0 ebx 0xbf97c094 -1080573804 esp 0xbf97b2a0 0xbf97b2a0 ebp 0x55555555 0x55555555 esi 0xbf97c084 -1080573820 edi 0x3 3 eip 0x55555555 0x55555555 eflags 0x10282 [ SF IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x0 0 Verified - EIP is clearly overwritten (along with EBP). Since it's binary and doesn't appear to permit modification, there's nothing we can do with it except mask it and remove it from the tree.
Comment 16 Matt Drew (RETIRED) 2007-04-03 16:57:59 UTC
forgot to cc maintainer. :\
Comment 17 SpanKY 2007-04-04 02:43:34 UTC
there's really nothing we can do about the 2.x series except mask it ... it's a binary-only release
Comment 18 Raphael Marichez (Falco) (RETIRED) 2007-06-07 21:50:56 UTC
Vapier are you OK to p.mask unace-2.5? it doesn't seem to break anything (rox-extra/archive needs app-arch/unace but there is still unace-1 available).
Comment 19 SpanKY 2007-06-08 00:53:39 UTC
i dont know ... unace-1.x cannot handle the new ace archives out there, only unace-2.x can in other words, i'd package mask the whole thing before forcing users to downgrade to a useless version
Comment 20 Robert Buchholz (RETIRED) 2008-01-04 22:03:31 UTC
CVE-2007-6563 probably affets this: Heap-based buffer overflow in WinAce 2.65 and earlier, and possibly other versions before 2.69, allows user-assisted remote attackers to execute arbitrary code via a long filename in a compressed UUE archive.
Comment 21 Robert Buchholz (RETIRED) 2008-03-22 03:11:32 UTC
There's a new security issue in 2.5, the debian changelog lists a patch: * debian/patches/11-possibly-critical.dpatch: + Fixes a possible security issue by initialising a local variable. Please note bug 214216 which might help resolve our situation.
Comment 22 SpanKY 2008-03-29 20:52:36 UTC
unace-2.5-r1 is in the tree with the Debian patchset ... but unace-2.5 was never in stable, so there really wasnt anything there for security to review are there any pending issues for unace-1.2b-r1 ? if not, lets close this bug
Comment 23 Pierre-Yves Rofes (RETIRED) 2009-03-29 18:51:25 UTC
mmh, I'm not sure what we should do here. I tested unace-2.5-r1 with the .zip attached, no segfault or anything. We could fix the xml to add 2.5-r1 as unaffected, but before that we would need to stable it... security, any opinions?
Comment 24 Andrew Savchenko 2009-11-26 12:33:27 UTC
It is rather annoying to have bogus GLSA. As far as I understand 2.5-r1 is not affected by this bug, please fix xml.
Comment 25 Andreas Thalhammer 2013-02-01 18:26:21 UTC
I've got app-arch/unace-2.5-r2 installed and "glsa-check --test all" still reports GLSA-200502-32 on my system. If unace-2.5-r1 was unaffected already (as suggested by comment #24), the glsa should be fixed accordingly. It doesn't sound very normal that a bug reported in 2005 should still be unfixed in 2013...
Comment 26 SpanKY 2013-03-28 03:10:25 UTC
should stabilize unace-2.5-r3
Comment 27 Sergey Popov 2013-03-28 06:55:33 UTC
Comment 28 Sergey Popov 2013-03-28 07:18:43 UTC
Comment 29 Joe Jezak (RETIRED) 2013-03-28 13:33:30 UTC
Marked ppc/ppc64 stable.
Comment 30 Jeroen Roovers (RETIRED) 2013-03-28 15:39:18 UTC
Arch teams, please test and mark stable: =app-arch/unace-2.5-r3 Stable KEYWORDS : alpha amd64 arm hppa ppc ppc64 s390 x86
Comment 31 Jeroen Roovers (RETIRED) 2013-03-28 16:08:06 UTC
Stable for HPPA.
Comment 32 Jeff (JD) Horelick (RETIRED) 2013-03-31 15:45:11 UTC
Comment 33 Agostino Sarubbo 2013-04-01 19:51:44 UTC
Comment 34 Agostino Sarubbo 2013-04-02 13:22:46 UTC
Comment 35 Chris Reffett (RETIRED) 2013-10-05 01:29:58 UTC
@maintainers: punt affected, timeout 30 days.
Comment 36 Sergey Popov 2013-11-25 18:00:30 UTC
Maintainer timeout, cleanup + 25 Nov 2013; Sergey Popov <email@example.com> -unace-1.2b-r1.ebuild, + -unace-1.2b-r2.ebuild, -files/unace-1.2b-64bit.patch, + -files/unace-1.2b-64bit-fmt.patch, + -files/unace-1.2b-CAN-2005-0160-CAN-2005-0161.patch, + -files/unace-1.2b-aliasing.patch, -unace-2.5.ebuild, -unace-2.5-r1.ebuild, + -unace-2.5-r2.ebuild, -files/unace-2.5-endianness-detection.patch: + Security cleanup, wrt bug #81958
Comment 37 GLSAMaker/CVETool Bot 2014-05-19 01:13:16 UTC
This issue was resolved and addressed in GLSA 200502-32 at http://security.gentoo.org/glsa/glsa-200502-32.xml by GLSA coordinator Sean Amoss (ackle).