Bugzilla – Bug 65793
VUL-0: CVE-2005-0161: unace: multiple security vulnerabilities
Last modified: 2021-11-02 16:08:20 UTC
Hello Klaus, the following reached us today. (not public) From: Ulf HÀrnhammar <Ulf.Harnhammar.9485@student.uu.se> To: mlemke@winace.com Cc: mlemke6413@aol.com, info@winace.com, support@winace.com, vendor-sec@lst.de, naddy@mips.inka.de, wiz@netbsd.org User-Agent: Internet Messaging Program (IMP) 3.2.7 Subject: [vendor-sec] unace-1.2b multiple security vulnerabilities Errors-To: vendor-sec-admin@lst.de Date: Mon, 14 Feb 2005 05:23:17 +0100 [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: quoted-printable, GröÃe: 0,6K --] Hello, I have found multiple security vulnerabilities in unace-1.2b (the last free version). There are buffer overflows when extracting, testing or listing specially prepared ACE archives. There are directory traversal bugs when extracting ACE archives. There are also buffer overflows when dealing with long (>17000 characters) command line arguments. I have attached a ZIP archive containing some test archives and a patch. I hope that we can coordinate our respective releases of unace. // Ulf Harnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/ [-- Anhang #2: unace-info.zip --]
<!-- SBZ_reproduce --> see attachment
Created attachment 28455 [details] unace-info.zip
Use CAN-2005-0160 for the buffer overflows. use CAN-2005-0161 for the directory traversal problem.
SM-Tracker-387
Created attachment 28465 [details] patchinfo-box.unace
Created attachment 28466 [details] patchinfo.unace
Thomas, thanks. But unace is a bit tricky regarding the patchinfo... We ship (static) binaries since 9.0 for i386 only, as they can also unpack the latest algorithm versions: 2.x. For all other architectures, we still ship version 1.2b (as we have sources for this version). Means we cannot patch unace for: 9.0-i386, 9.1-i386, SLES9-i386, 9.2-i386 instead we have to wait for the release of upstream binaries. Now the real world: I already got from author the sources last November. But I'm unsure, if we are allowed to release them (topic still open with author) and if we can distribute them (several different contradicting licenses in the packages).
Uh, yes.. I remeber the mess. :( Do you like to asks the author again to push him a little bit? :)
mlenke@winace.com is already in the original e-mail from vendor-sec...
From: Ulf HÀrnhammar <Ulf.Harnhammar.9485@student.uu.s> To: Ulf HÀrnhammar <Ulf.Harnhammar.9485@student.uu.se Cc: solar@gentoo.org, Martin Schulze <joey@infodrom.org>, mlemke@winace.com, info@winace.com, support@winace.com, vendor-sec@lst.de, naddy@mips.inka.de, wiz@netbsd.org Subject: Re: [vendor-sec] Re: unace-1.2b multiple security vulnerabilities User-Agent: Internet Messaging Program (IMP) 3.2.7 Errors-To: vendor-sec-admin@lst.de Date: Tue, 15 Feb 2005 19:24:29 +0100 Quoting Ulf HÀrnhammar <Ulf.Harnhammar.9485@student.uu.se>: > What about releasing this on the 22nd of February? Since no-one said why we shouldn't, I now decide that 22/2 will indeed be the release date. // Ulf
it's public now. [Full-Disclosure] unace-1.2b multiple buffer overflows and directory traversal bugs Von: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se> An: full-disclosure@lists.netsys.com Datum: Gestern 23:59:35 I have found multiple security vulnerabilities in unace-1.2b. (It is the last free version. The later versions are just binaries for the x86 processor, which is unhelpful if you want to use free software or if your computer has a non-x86 processor.) There are two buffer overflows when extracting, testing or listing specially prepared ACE archives. They are caused by wrong usage of strncpy() with the third parameter coming from the archive. In both cases, the attacker controls the EIP register. There are also two buffer overflows when (a) dealing with long (>15600 characters) command line arguments for archive names, and (b) when preparing a string for printing Ready for next volume messages. Furthermore, there are directory traversal bugs when extracting ACE archives. They are both of the absolute ("/etc/nologin") and the relative ("../../../../../../../etc/nologin") type. All buffer overflows have the identifier CAN-2005-0160, and the directory traversal bugs have the identifier CAN-2005-0161. I have attached a ZIP archive containing some test archives and a patch. I wrote a small Perl script to create the test archives, after having read ACE.txt. I didn't have the time to create archives that work on unace-2.x, so I haven't really tested whether later versions of unace are vulnerable to any of these bugs. The vendor and the distributors have been contacted, and the 22nd of February was agreed upon as the release date. // Ulf Härnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/ Run this to get my new e-mail address: lynx -source http://slashdot.org/ | head -n1 | sed -e 's%".*$%%' \ -e 'y%TC!%aa#%' -e 's%UB%te%g' -e 'y%<ODP%#emr%' -e 's%E H.*r% %' \ -e 's%#%%g' -e 's%$%com%' -e 's%aa*%ta%' -e 'y%IYL%iul%' unace.advisory-data.zip _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
klaus wants to wait after 9.3
9.3 is done, right
FIX BUGZILLA!!! I investigated for this bug for around an hour, wrote a long comment with several questions and so on. Finally all my detailed input got lost, because I had to re-login into bugzilla. I don't want to use bugzilla anymore, as long as this doesn't get solved. Solve this bug whoever wants to. Good bye.
Well, it could be worse, "good" old netscape lost all input when you just resized the window ... ;-)
Security-Team: where do I get patches for i386? We distribute a static link binary with more recent version since SuLi 9.0 I looked at the web: seems that no other Linux distribution ever worked on this issue. No patch can be found.
Created attachment 34772 [details] unace-1.2b-CAN-2005-0160-CAN-2005-0161.patch Both debian and gentoo fixed it http://www.gentoo.org/cgi-bin/viewcvs.cgi/app-arch/unace/files/ http://packages.debian.org/unstable/utils/unace
Sorry, but I think we misunderstood each other. I'm talking about unace-2.x, you showed me fixes for unace-1.2x So, what should I do regarding unace-2.x
I thought you are in contact with the author about that one? If it's affected as well we need to update it too. If that's not possible we could maybe downgrade it to the free version.
Yes, I am in contact with author. But as you already know from the vendor-sec ML, author insists on fact that this is not an issue. I can reproduce one of the problems with unace-2.x. But: is opening a non-conforming (corrupt) archive really an issue? Downgrade to free unace-1.2x version means also a massive restriction in the program functionalities: unace-2.x can open archives packed with a algorithm, which is unknown to unace-1.2x. Is this our intent?
If unace executes code due to a buffer overflow (is that the case? I don't know.) when extracting or listing a malicious file then yes it is an issue. If it just refuses to read it or crashes without overflow then it's not an issue. It's better to have no unace on the distro at all than an unace with a overflow that allows for code execution.
the problem is, that if this might be used in automated ways, like by virus checkers. note that the virus writers changed from zip to rar and might just change to the next obscure compression format. judging from the patch it is a stack buffer overflow and probably easy exploitable. So far I would be happy if you could provide a fix for the earlier versions.
Marcus, please read comment#16 (regarding versions) and then answer my 2nd question in comment#20. TIA.
There seems to be more at sixes and sevens with unace 2 judging from a quick look. I think we should provide unace 1 + fixes for our customers and tell them that they should use the 1-version if they need security and the 2-version if they need the new features. Let the customer decide...
klaus? can you do that, pack both unace2 and unace ... with unace fixed?
yes, working on it. but, please give me some time.
So far, I can say, that unace-2.x is not affected with the included sample files. The problem in files bufoflow?.ace is fully correct detected and unace-2.x complains about the problem (illegal content) without further processing. The dirtraversal?.ace files fail either: the crc check, and therefore are not processed either. This is the good news. The bad news is, that it might be possible to generate dirtraversal files, where unace-2.x possibly stumbles on the problem, because they have a correct crc sum. I don't know at the moment. Will dig into it deeper tommorrow.
I know this is one of the ugly dirty bugs we all dislike but nevertheless did you found something, Klaus?
I copied the patchinfos to /work/src/done and patched them. Klaus, please take a look at them and tell me if they are correct.
Thanks, please assign to security-team when done.
I was very busy yesterday evening (Vorstandssitzung LST e.V.) and forgot to check in the patches 9.3. So I did it this morning (= not yet complete).
Finally I came to the conclusion that it is impossible to exploit unace-2.x. I think it's impossible (at least pretty hard) to generate long enough, generic strings without having a valid CRC for them. If you try to generate any such archive, unace is ignoring it and quitting with an appropriate status code, because of the invalid CRC for the strings. Result: unace-2.x is not affected. Result: we need no 9.0-i386, 9.1-i386 (= SLES9-i386), 9.2-i386, 9.3-i386 security fixes. For i386: only SLES8-i386, 8.2-i386 But: every non-i386 SUSE Linux versions. Security-Team: please adapt patchinfo files.
Grrr, I adapted them yesterday and now want to know of you, if they are correct! That's what comment #29 was about.
submitted note: patchinfo files are already edited
updates approved.
http://www.kb.cert.org/vuls/id/215006
the patch never made it into the STABLE version. i applied it there and submitted a fixed package.
CVE-2005-0161: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)