Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 81958 - <app-arch/unace-2.5-r3 : buffer overflows and directory traversal
Summary: <app-arch/unace-2.5-r3 : buffer overflows and directory traversal
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
: 83057 (view as bug list)
Depends on: 214216
Blocks:
  Show dependency tree
 
Reported: 2005-02-13 22:11 UTC by Sune Kloppenborg Jeppesen
Modified: 2014-05-19 01:13 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
unace-info.zip (unace-info.zip,2.60 KB, application/x-zip)
2005-02-19 18:33 UTC, solar (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-02-13 22:11:52 UTC
// Ulf Harnhammar for the Debian Security Audit Project reports to Vendor-Sec:

I have found multiple security vulnerabilities in unace-1.2b
(the last free version).

There are buffer overflows when extracting, testing or
listing specially prepared ACE archives.

There are directory traversal bugs when extracting ACE
archives.

There are also buffer overflows when dealing with long (>17000
characters) command line arguments.

I have attached a ZIP archive containing some test archives
and a patch.

I hope that we can coordinate our respective releases of unace.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-14 03:15:58 UTC
CVE ids assigned:

CAN-2005-0160 for the buffer overflows.
CAN-2005-0161 for the directory traversal problem.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-02-15 11:14:40 UTC
There is no metadata.xml so we probably should patch it ourselves. Is 1.2b the only affected version ?
Comment 3 solar (RETIRED) gentoo-dev 2005-02-15 11:37:49 UTC
There are exactly two unace ebuilds in portage. 1.2b (last free version with 
source code) and the 2.2 thats a binary only with no source code 
(no idea if it's vuln or not) needs to be tested with demo file.

I do not know why we favor the 2.x binary only package to be stable over the 
last source code version. But seeing as we have an opensource solution in the 
tree I'm willing to patch it non the less.
unace was first added to gentoo on Oct 28 2002 from bug #9818

s390 can run static ET_EXEC files built on x86?
Comment 4 SpanKY gentoo-dev 2005-02-19 14:55:57 UTC
well, if debian has done auditing, does that mean they've developed a patch too ?  
Comment 5 solar (RETIRED) gentoo-dev 2005-02-19 18:33:54 UTC
Created attachment 51628 [details]
unace-info.zip

Sorry. Here is his "attached a ZIP archive containing some test archives
and a patch."
Comment 6 Luke Macken (RETIRED) gentoo-dev 2005-02-23 05:12:13 UTC
This issue is now public.
Comment 7 Luke Macken (RETIRED) gentoo-dev 2005-02-23 05:12:22 UTC
*** Bug 83057 has been marked as a duplicate of this bug. ***
Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-23 13:01:01 UTC
any comments on the patch?

if it's sufficient, we should probably apply it

couldn't find a bug/patch from debian et al. yet
Comment 9 solar (RETIRED) gentoo-dev 2005-02-26 06:06:09 UTC
Ok so here is what I know.
With the patched unace all the the tests are fine. 
With the non opensource 2.2 /opt/bin/unace l bufoflow1.ace it attempts to exec a null ptr.

options (t l v) with 2.2

PAX: execution attempt in: <NULL>, 00000000-00000000 00000000
PAX: terminating task: /opt/bin/unace(unace):24855, uid/euid: 2600/2600, PC: 55555555, SP: 5eec8214
PAX: bytes at PC: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /opt/bin/unace[unace:24855] uid/euid:2600/2600 gid/egid:2600/2600, parent /bin/bash[bash:15504] uid/euid:2600/2600 gid/egid:2600/2600

unace-1.2b-r1.ebuild in the tree and marked stable for x86.
2.2 remains. Should I p.mask 2.2? I vote for yes. Or even removal of it.
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-27 06:45:26 UTC
Looks like this is ready for GLSA then I guess.

solar: I agree, we should mask 2.2 if it is still not 100% fixed, besides that there doesn't seem to be a maintainter anyways.

In case of masking 2.2, maybe the GLSA should then mention it.
Comment 11 solar (RETIRED) gentoo-dev 2005-02-27 08:16:52 UTC
Arch leads. Please read over this and vote on removal/masking of the binary only 
2.2 

ARCH s390 
I have no idea why you have a x86-32 bit binary marked stable on a 31bit arch Can you really do that?

The 1.2b is OpenSource
Comment 12 solar (RETIRED) gentoo-dev 2005-02-28 07:38:35 UTC
From amd64.

  28 Feb 2005; Alex Howells <astinus@gentoo.org> unace-1.2b-r1.ebuild:
  Tested and marked stable on AMD64, reference bug 81958

s390 you no longer have any unace.

Removed 1.2b and 2.2 from the tree. Only thing remains is the patched 1.2b
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-28 08:47:36 UTC
Thx everyone.

GLSA 200502-32

s390 please remember to mark stable.
Comment 14 Jakub Moc (RETIRED) gentoo-dev 2007-01-31 00:41:08 UTC
*unace-2.5 (30 Jan 2007)

  30 Jan 2007; Mike Frysinger <vapier@gentoo.org> +unace-2.5.ebuild:
  Version bump #102347 by Dick Marinus et al.

This is *still* vulnerable at least according to Secunia (http://secunia.com/advisories/14359), behaves horribly on the attached test archives (segfaults on bufoflow1.ace, reports broken header on dirtraversal[12].ace) and generally no clue why is it in the tree again.

Reopen; someone please verify.
Comment 15 Matt Drew (RETIRED) gentoo-dev 2007-04-03 16:35:15 UTC
/opt/bin/unace v bufoflow1.ace 

UNACE v2.5     Copyright by ACE Compression Software       Jun 18 2003 22:25:55
                                                                          
Warning: Authenticity verification of archive is broken.
 Archive too old or created with non-original program!
Warning: This is not a fully ACE compatible archive.
 Trying to decompress might fail.
processing archive /home/aetius/bufoflow1.ace                             
Warning: Authenticity verification of archive is broken.
 Archive too old or created with non-original program!
Warning: This is not a fully ACE compatible archive.
 Trying to decompress might fail.
Warning: Authenticity verification of archive is broken.
 Archive too old or created with non-original program!
Warning: This is not a fully ACE compatible archive.
 Trying to decompress might fail.
created on 0.0.1980 with ver 1.0 by                                       
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU                        Segmentation fault

********************

warning: shared library handler failed to enable breakpoint
Failed to read a valid object file image from memory.
Core was generated by `/opt/bin/unace v bufoflow1.ace'.
Program terminated with signal 11, Segmentation fault.
#0  0x55555555 in ?? ()
(gdb) info registers
eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0xbf97c094       -1080573804
esp            0xbf97b2a0       0xbf97b2a0
ebp            0x55555555       0x55555555
esi            0xbf97c084       -1080573820
edi            0x3      3
eip            0x55555555       0x55555555
eflags         0x10282  [ SF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0



Verified - EIP is clearly overwritten (along with EBP). Since it's binary and doesn't appear to permit modification, there's nothing we can do with it except mask it and remove it from the tree.
Comment 16 Matt Drew (RETIRED) gentoo-dev 2007-04-03 16:57:59 UTC
forgot to cc maintainer. :\
Comment 17 SpanKY gentoo-dev 2007-04-04 02:43:34 UTC
there's really nothing we can do about the 2.x series except mask it ... it's a binary-only release
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-07 21:50:56 UTC
Vapier are you OK to p.mask unace-2.5? it doesn't seem to break anything (rox-extra/archive needs app-arch/unace but there is still unace-1 available).
Comment 19 SpanKY gentoo-dev 2007-06-08 00:53:39 UTC
i dont know ... unace-1.x cannot handle the new ace archives out there, only unace-2.x can

in other words, i'd package mask the whole thing before forcing users to downgrade to a useless version
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 22:03:31 UTC
CVE-2007-6563 probably affets this:
  Heap-based buffer overflow in WinAce 2.65 and earlier, and possibly
  other versions before 2.69, allows user-assisted remote attackers to
  execute arbitrary code via a long filename in a compressed UUE archive.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-03-22 03:11:32 UTC
There's a new security issue in 2.5, the debian changelog lists a patch:

   * debian/patches/11-possibly-critical.dpatch:
     + Fixes a possible security issue by initialising a local variable.


Please note bug 214216 which might help resolve our situation.
Comment 22 SpanKY gentoo-dev 2008-03-29 20:52:36 UTC
unace-2.5-r1 is in the tree with the Debian patchset ... but unace-2.5 was never in stable, so there really wasnt anything there for security to review

are there any pending issues for unace-1.2b-r1 ?  if not, lets close this bug
Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-29 18:51:25 UTC
mmh, I'm not sure what we should do here. I tested unace-2.5-r1 with the .zip attached, no segfault or anything. We could fix the xml to add 2.5-r1 as unaffected, but before that we would need to stable it... security, any opinions?
Comment 24 Andrew Savchenko gentoo-dev 2009-11-26 12:33:27 UTC
It is rather annoying to have bogus GLSA. As far as I understand 2.5-r1 is not affected by this bug, please fix xml.
Comment 25 Andreas Thalhammer 2013-02-01 18:26:21 UTC
I've got app-arch/unace-2.5-r2 installed and "glsa-check --test all" still reports GLSA-200502-32 on my system.
If unace-2.5-r1 was unaffected already (as suggested by comment #24), the glsa should be fixed accordingly.
It doesn't sound very normal that a bug reported in 2005 should still be unfixed in 2013...
Comment 26 SpanKY gentoo-dev 2013-03-28 03:10:25 UTC
should stabilize unace-2.5-r3
Comment 27 Sergey Popov gentoo-dev 2013-03-28 06:55:33 UTC
arm stable
Comment 28 Sergey Popov gentoo-dev 2013-03-28 07:18:43 UTC
amd64 stable
Comment 29 Joe Jezak (RETIRED) gentoo-dev 2013-03-28 13:33:30 UTC
Marked ppc/ppc64 stable.
Comment 30 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-28 15:39:18 UTC
Arch teams, please test and mark stable:
=app-arch/unace-2.5-r3
Stable KEYWORDS : alpha amd64 arm hppa ppc ppc64 s390 x86
Comment 31 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-28 16:08:06 UTC
Stable for HPPA.
Comment 32 Jeff (JD) Horelick (RETIRED) gentoo-dev 2013-03-31 15:45:11 UTC
x86 stable
Comment 33 Agostino Sarubbo gentoo-dev 2013-04-01 19:51:44 UTC
alpha stable
Comment 34 Agostino Sarubbo gentoo-dev 2013-04-02 13:22:46 UTC
s390 stable
Comment 35 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-05 01:29:58 UTC
@maintainers: punt affected, timeout 30 days.
Comment 36 Sergey Popov gentoo-dev 2013-11-25 18:00:30 UTC
Maintainer timeout, cleanup

+  25 Nov 2013; Sergey Popov <pinkbyte@gentoo.org> -unace-1.2b-r1.ebuild,
+  -unace-1.2b-r2.ebuild, -files/unace-1.2b-64bit.patch,
+  -files/unace-1.2b-64bit-fmt.patch,
+  -files/unace-1.2b-CAN-2005-0160-CAN-2005-0161.patch,
+  -files/unace-1.2b-aliasing.patch, -unace-2.5.ebuild, -unace-2.5-r1.ebuild,
+  -unace-2.5-r2.ebuild, -files/unace-2.5-endianness-detection.patch:
+  Security cleanup, wrt bug #81958
Comment 37 GLSAMaker/CVETool Bot gentoo-dev 2014-05-19 01:13:16 UTC
This issue was resolved and addressed in
 GLSA 200502-32 at http://security.gentoo.org/glsa/glsa-200502-32.xml
by GLSA coordinator Sean Amoss (ackle).