Package: unace-nonfree Version: 2.5-7_i386.deb Reminder: unace-nonfree is rename unace in path when installed. System: Fresh install of debian-7.3.0-i386-xfce-CD-1.iso up to date. uname -a: Linux debian 3.2.0-4-486 #1 Debian 3.2.51-1 i686 GNU/Linux dpkg -s libc6 | grep ^Version: 2.13-38
I've found two buffer overflows in unace-nonfree. They are available using long specific arguments: filename (294 chars or more) or password (57 chars or more). ***Filemane*** *cervoise@debian:~/Bureau$ unace t `perl -e 'print "A"x293'`* *UNACE v2.5 Copyright by ACE Compression Software Mar 28 2012 21:27:51* *cervoise@debian:~/Bureau$ unace t `perl -e 'print "A"x294'`* *UNACE v2.5 Copyright by ACE Compression Software Mar 28 2012 21:27:51 *** buffer overflow detected ***: /usr/bin/unace terminated ======= Backtrace: =========/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb76713c0]/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xe92fa)[0xb76702fa]/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xe862a)[0xb766f62a] /usr/bin/unace(+0x1267c)[0xb772d67c]======= Memory map: ========b7158000-b7174000 r-xp 00000000 08:01 18 /lib/i386-linux-gnu/libgcc_s.so.1b7174000-b7175000 rw-p 0001b000 08:01 18 /lib/i386-linux-gnu/libgcc_s.so.1 b7185000-b7587000 rw-p 00000000 00:00 0b7587000-b76e3000 r-xp 00000000 08:01 4831 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so>b76e3000-b76e4000 ---p 0015c000 08:01 4831 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so> b76e4000-b76e6000 r--p 0015c000 08:01 4831 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so>b76e6000-b76e7000 rw-p 0015e000 08:01 4831 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so> b76e7000-b76ea000 rw-p 00000000 00:00 0b76f8000-b76fc000 rw-p 00000000 00:00 0b76fc000-b76fd000 r-xp 00000000 00:00 0 [vdso]b76fd000-b7719000 r-xp 00000000 08:01 58 /lib/i386-linux-gnu/ld-2.13.so <http://ld-2.13.so> b7719000-b771a000 r--p 0001b000 08:01 58 /lib/i386-linux-gnu/ld-2.13.so <http://ld-2.13.so>b771a000-b771b000 rw-p 0001c000 08:01 58 /lib/i386-linux-gnu/ld-2.13.so <http://ld-2.13.so> b771b000-b7735000 r-xp 00000000 08:01 175997 /usr/bin/unaceb7735000-b7736000 r--p 00019000 08:01 175997 /usr/bin/unaceb7736000-b773e000 rw-p 0001a000 08:01 175997 /usr/bin/unaceb773e000-b7773000 rw-p 00000000 00:00 0 b7ae1000-b7b02000 rw-p 00000000 00:00 0 [heap]bfbdc000-bfbfd000 rw-p 00000000 00:00 0 [stack]Abandon* ***Password*** Reminder: Command line use to uncompress myacefile.ace protected with weakpassword as a password: unace t -pweakpassword myacefile.ace *cervoise@debian:~/Bureau$ unace t -p`perl -e 'print "A"x56'` myacefile.ace* *UNACE v2.5 Copyright by ACE Compression Software Mar 28 2012 21:27:51* *cervoise@debian:~/Bureau$ unace t -p`perl -e 'print "A"x57'` myacefile.ace* *UNACE v2.5 Copyright by ACE Compression Software Mar 28 2012 21:27:51 *** buffer overflow detected ***: /usr/bin/unace terminated======= Backtrace: =========/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb76fb3c0] /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xe92fa)[0xb76fa2fa]/lib/i386-linux-gnu/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb76f9674]/usr/bin/unace(+0x12539)[0xb77b7539]======= Memory map: ========b71e2000-b71fe000 r-xp 00000000 08:01 18 /lib/i386-linux-gnu/libgcc_s.so.1 b71fe000-b71ff000 rw-p 0001b000 08:01 18 /lib/i386-linux-gnu/libgcc_s.so.1b720f000-b7611000 rw-p 00000000 00:00 0b7611000-b776d000 r-xp 00000000 08:01 4831 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so> b776d000-b776e000 ---p 0015c000 08:01 4831 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so>b776e000-b7770000 r--p 0015c000 08:01 4831 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so> b7770000-b7771000 rw-p 0015e000 08:01 4831 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so <http://libc-2.13.so>b7771000-b7774000 rw-p 00000000 00:00 0b7782000-b7786000 rw-p 00000000 00:00 0b7786000-b7787000 r-xp 00000000 00:00 0 [vdso] b7787000-b77a3000 r-xp 00000000 08:01 58 /lib/i386-linux-gnu/ld-2.13.so <http://ld-2.13.so>b77a3000-b77a4000 r--p 0001b000 08:01 58 /lib/i386-linux-gnu/ld-2.13.so <http://ld-2.13.so> b77a4000-b77a5000 rw-p 0001c000 08:01 58 /lib/i386-linux-gnu/ld-2.13.so <http://ld-2.13.so>b77a5000-b77bf000 r-xp 00000000 08:01 175997 /usr/bin/unaceb77bf000-b77c0000 r--p 00019000 08:01 175997 /usr/bin/unace b77c0000-b77c8000 rw-p 0001a000 08:01 175997 /usr/bin/unaceb77c8000-b77fd000 rw-p 00000000 00:00 0b7a21000-b7a42000 rw-p 00000000 00:00 0 [heap]bfa57000-bfa78000 rw-p 00000000 00:00 0 [stack] Abandon* I think these bugs may be security issues. Regard. *Antoine Cervoise* Security consultant Direction Risk & Security *Mob. : *+33 (0)6 60 65 22 18 <#> <#> <#SafeHtmlFilter_> antoine.cervo...@devoteam.com