Your message dated Fri, 29 May 2026 03:48:36 +0000
with message-id <[email protected]>
and subject line Bug#1138160: fixed in unace 1.2b-27
has caused the Debian Bug report #1138160,
regarding unace: heap buffer over-read in magic scanner (CWE-125)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138160: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138160
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unace
Version: 1.2b-26
Severity: important
Tags: security
unace 1.2b has a heap buffer over-read in the ACE archive magic signature
scanner. The scanner reads input in 1024-byte chunks into a heap buffer
(malloc(0x400)) and performs 4-byte integer comparisons at every byte offset
0 through 1023. At offsets 1021 through 1023, the 4-byte read extends 1 to
3 bytes beyond the buffer boundary, reading adjacent heap memory.
The read data is compared against fixed magic constants and discarded on
mismatch, so information does not leak to the attacker directly. However,
the read itself is undefined behavior and may cause crashes on hardened
allocators or ASAN-instrumented builds.
Root cause (function at offset 0x3480 in the stripped binary):
buf = malloc(0x400); // 1024 bytes
n = read(fd, buf, 0x400); // fill buffer
for (i = 0; i < 0x400; i++) { // iterates 0..1023
if (*(uint32_t*)(buf + i) == MAGIC) ... // 4-byte read at buf+i
}
At i=1021, 1022, 1023: reads 4 bytes starting at buf+1021/1022/1023, which
extends 1/2/3 bytes past the 1024-byte allocation.
Trigger: processing any file where the ACE magic signature is not found
within the first 1018 bytes of a scan chunk (includes non-ACE files,
corrupt archives, and valid archives with padding).
Reproduction:
valgrind --tool=memcheck unace l /dev/null
# Or via Docker:
docker run --rm ubuntu:26.04 bash -c \
"apt-get update -qq && apt-get install -y -qq unace valgrind && \
dd if=/dev/urandom of=/tmp/test.ace bs=2048 count=1 2>/dev/null && \
valgrind unace l /tmp/test.ace 2>&1 | grep 'Invalid read'"
Expected valgrind output:
Invalid read of size 4
at 0x35CC: (in /usr/bin/unace)
Address 0x... is 0 bytes after a block of size 1,024 alloc'd
Suggested fix: change loop bound from i < 0x400 to i < (0x400 - 3), or
allocate 4 extra bytes: malloc(0x404).
Since this is a binary-only package with no upstream, options include binary
patching, adding a package advisory, or considering removal.
The software is proprietary, authored by e-merge GmbH (defunct ~2000), and
unmaintained. There is no upstream to notify. A CVE ID has been requested
via MITRE CNA-LR.
--- End Message ---
--- Begin Message ---
Source: unace
Source-Version: 1.2b-27
Done: Guillem Jover <[email protected]>
We believe that the bug you reported is fixed in the latest version of
unace, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated unace package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 29 May 2026 05:23:48 +0200
Source: unace
Architecture: source
Version: 1.2b-27
Distribution: unstable
Urgency: medium
Maintainer: Guillem Jover <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Closes: 1138160
Changes:
unace (1.2b-27) unstable; urgency=medium
.
* Switch to Standards-Version 4.7.4 (no changes needed).
* Switch Forwarded no to not-needed in patch metadata as there is no
upstream anymore.
* Fix heap buffer over read when looking for the archive magic value.
Report and patch by Xiang Chen <[email protected]>. (Closes: #1138160)
Checksums-Sha1:
de90140f6997008573afdb0798bcd4ffbf601fb6 1907 unace_1.2b-27.dsc
bbca77ba493e0d9a095097a59a22a83187a91ed5 10500 unace_1.2b-27.debian.tar.xz
ceb04df6f4ea477c1fe1254e96501dc4da6b51e9 5819 unace_1.2b-27_amd64.buildinfo
Checksums-Sha256:
678b1a1ecf91871ca2f42fe32e08b42e4e50c26ba7268c1d27dd74936ea642a5 1907
unace_1.2b-27.dsc
c288924ddd431c224bf2b5d9720b706faa456956beefa579b74b3c2d8f10ce2b 10500
unace_1.2b-27.debian.tar.xz
aa6269872b66eb4f0fb7c04d3be47b44810c059441399f562a5a2b041124aab2 5819
unace_1.2b-27_amd64.buildinfo
Files:
699485f2a42a484f5c81e4a96ef9b21f 1907 utils optional unace_1.2b-27.dsc
caabb828b3cbee8dbd836380303f4815 10500 utils optional
unace_1.2b-27.debian.tar.xz
405c57bad27572337d6259f8cf151b07 5819 utils optional
unace_1.2b-27_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJqGQiyCRC5cr8+pK5Xo0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmdQPY047nNUsBErFaN6EOHTdiPB89qiJ0HCodZks95g
dhYhBE8+dPQ2BQwQ9WlldLlyvz6krlejAABDZw//cZcaAt+PheSYUYsgIY1mdcb9
7BGtZ7ktObE2E6XUuAGFZhqbk1HypE964VIDWsOvFXNuIrlU63xesqVlEDkFS7ab
uV6ehfxsSDv+5r0BCqnj2otVL0zLU0R+q5AMAj9rzUT2lair9I/40YmTVyTfLBg5
iBnata9k+BlX/ksHnnwnvr6hFh0TPkGgYjMw9k5Jb4eZkfCiUfakmOyh1SN4E0yu
6C7GnYdzA05AJSXxBwvQjDjKOfwynrIKDSkGLzG6yBwUgjxC59ahwX4Y8pNMyCGu
sEA5gVgfmsXVPSmlqZ0fgbtjGR51+bkqZd5sfKhUMEPhbYM/I4zCGTvAYxrjqYwX
oc3doNfCupkQs50PWEK3q/I8Qp1HfEHe6G3mi4Q/UPFzFQZeRusFwXKbz5I2uHIs
hu8XUO6vKtKZRPXxlY2RwdQ7246YPD33j1Oi1qrE3IUCpR3aW90XzBMQ2evRCLPG
Zwu2ygG4g0dj4u1Canu3kl8pj05YXPnON5JzhoOyDj4DjF4x7hSja+cqguNu5MBW
2BSaHk2xneS0IC8u4U+VDvXrBabuWM88wBrcsP3Czdh9zurOGZmwwkSwbgBxX22Y
dHPc50MCcrq1JX2bhG+b0ecE3dJjcHuH8LyJEcQpoRQTVhLybnJgvcnVZNnY9XT/
gOq9f3yueOanJl/IRh4=
=+q+w
-----END PGP SIGNATURE-----
pgphAmqd8I31S.pgp
Description: PGP signature
--- End Message ---
