Bug#736929: [unace-nonfree] buffer overflows

Tue, 28 Jan 2014 06:52:31 -0800 

Package: unace-nonfree
Version: 2.5-7_i386.deb
Reminder: unace-nonfree is rename unace in path when installed.
System: Fresh install of debian-7.3.0-i386-xfce-CD-1.iso up to date.
uname -a: Linux debian 3.2.0-4-486 #1 Debian 3.2.51-1 i686 GNU/Linux
dpkg -s libc6 | grep ^Version: 2.13-38

I've found two buffer overflows in unace-nonfree. They are available using
long specific arguments: filename (294 chars or more) or password (57 chars
or more).

***Filemane***

*cervoise@debian:~/Bureau$ unace t `perl -e 'print "A"x293'`*
*UNACE v2.5     Copyright by ACE Compression Software       Mar 28 2012
21:27:51*

*cervoise@debian:~/Bureau$ unace t `perl -e 'print "A"x294'`*



























*UNACE v2.5     Copyright by ACE Compression Software       Mar 28 2012
21:27:51
*** buffer overflow detected ***: /usr/bin/unace terminated =======
Backtrace:
=========/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb76713c0]/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xe92fa)[0xb76702fa]/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xe862a)[0xb766f62a]
/usr/bin/unace(+0x1267c)[0xb772d67c]======= Memory map:
========b7158000-b7174000 r-xp 00000000 08:01 18
/lib/i386-linux-gnu/libgcc_s.so.1b7174000-b7175000 rw-p 0001b000 08:01
18         /lib/i386-linux-gnu/libgcc_s.so.1 b7185000-b7587000 rw-p
00000000 00:00 0b7587000-b76e3000 r-xp 00000000 08:01 4831
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
<http://libc-2.13.so>b76e3000-b76e4000 ---p 0015c000 08:01 4831
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so>
b76e4000-b76e6000 r--p 0015c000 08:01 4831
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
<http://libc-2.13.so>b76e6000-b76e7000 rw-p 0015e000 08:01 4831
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so>
b76e7000-b76ea000 rw-p 00000000 00:00 0b76f8000-b76fc000 rw-p 00000000
00:00 0b76fc000-b76fd000 r-xp 00000000 00:00 0
[vdso]b76fd000-b7719000 r-xp 00000000 08:01 58
/lib/i386-linux-gnu/ld-2.13.so <http://ld-2.13.so> b7719000-b771a000 r--p
0001b000 08:01 58         /lib/i386-linux-gnu/ld-2.13.so
<http://ld-2.13.so>b771a000-b771b000 rw-p 0001c000 08:01 58
/lib/i386-linux-gnu/ld-2.13.so <http://ld-2.13.so> b771b000-b7735000 r-xp
00000000 08:01 175997     /usr/bin/unaceb7735000-b7736000 r--p 00019000
08:01 175997     /usr/bin/unaceb7736000-b773e000 rw-p 0001a000 08:01
175997     /usr/bin/unaceb773e000-b7773000 rw-p 00000000 00:00 0
b7ae1000-b7b02000 rw-p 00000000 00:00 0          [heap]bfbdc000-bfbfd000
rw-p 00000000 00:00 0          [stack]Abandon*

***Password***

Reminder: Command line use to uncompress myacefile.ace protected with
weakpassword as a password: unace t -pweakpassword myacefile.ace

*cervoise@debian:~/Bureau$ unace t -p`perl -e 'print "A"x56'` myacefile.ace*
*UNACE v2.5     Copyright by ACE Compression Software       Mar 28 2012
21:27:51*

*cervoise@debian:~/Bureau$ unace t -p`perl -e 'print "A"x57'` myacefile.ace*



























*UNACE v2.5     Copyright by ACE Compression Software       Mar 28 2012
21:27:51

*** buffer overflow detected ***: /usr/bin/unace terminated=======
Backtrace:
=========/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb76fb3c0]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xe92fa)[0xb76fa2fa]/lib/i386-linux-gnu/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb76f9674]/usr/bin/unace(+0x12539)[0xb77b7539]=======
Memory map: ========b71e2000-b71fe000 r-xp 00000000 08:01 18
/lib/i386-linux-gnu/libgcc_s.so.1 b71fe000-b71ff000 rw-p 0001b000 08:01
18         /lib/i386-linux-gnu/libgcc_s.so.1b720f000-b7611000 rw-p 00000000
00:00 0b7611000-b776d000 r-xp 00000000 08:01 4831
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so>
b776d000-b776e000 ---p 0015c000 08:01 4831
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
<http://libc-2.13.so>b776e000-b7770000 r--p 0015c000 08:01 4831
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so>
b7770000-b7771000 rw-p 0015e000 08:01 4831
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
<http://libc-2.13.so>b7771000-b7774000 rw-p 00000000 00:00
0b7782000-b7786000 rw-p 00000000 00:00 0b7786000-b7787000 r-xp 00000000
00:00 0          [vdso] b7787000-b77a3000 r-xp 00000000 08:01 58
/lib/i386-linux-gnu/ld-2.13.so <http://ld-2.13.so>b77a3000-b77a4000 r--p
0001b000 08:01 58         /lib/i386-linux-gnu/ld-2.13.so
<http://ld-2.13.so> b77a4000-b77a5000 rw-p 0001c000 08:01 58
/lib/i386-linux-gnu/ld-2.13.so <http://ld-2.13.so>b77a5000-b77bf000 r-xp
00000000 08:01 175997     /usr/bin/unaceb77bf000-b77c0000 r--p 00019000
08:01 175997     /usr/bin/unace b77c0000-b77c8000 rw-p 0001a000 08:01
175997     /usr/bin/unaceb77c8000-b77fd000 rw-p 00000000 00:00
0b7a21000-b7a42000 rw-p 00000000 00:00 0          [heap]bfa57000-bfa78000
rw-p 00000000 00:00 0          [stack] Abandon*

I think these bugs may be security issues.

Regard.

*Antoine Cervoise*
Security consultant
Direction Risk & Security

*Mob. : *+33 (0)6 60 65 22 18 <#> <#> <#SafeHtmlFilter_>
antoine.cervo...@devoteam.com

Reply via email to