-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : unadf Version : 0.7.11a-3+deb7u1 CVE IDs : CVE-2016-1243 CVE-2016-1244 Debian Bug : #838248
It was discovered that there were two vulnerabilities in unadf, a tool to extract files from an Amiga Disk File dump (.adf): - - CVE-2016-1243: stack buffer overflow caused by blindly trusting on pathname lengths of archived files. Stack allocated buffer sysbuf was filled with sprintf() without any bounds checking in extracTree() function. - - CVE-2016-1244: execution of unsanitized input Shell command used for creating directory paths was constructed by concatenating names of archived files to the end of the command string. For Debian 7 "Wheezy", this issue has been fixed in unadf version 0.7.11a-3+deb7u1. We recommend that you upgrade your unadf packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJX4fKRAAoJEB6VPifUMR5YNCcP/R+x87r+CX25vJC1LNRvdLqX PtIxbHI1Xrxzso9Dg3tMRdwILmn2aBHVYIwDJAr6wBocGJtHgzAGJAczYvd4U6qg lIQ4HmOwydhTzQL8lWR/WoL3IKLMCOJxtmMorU+JLRS/WYTXsCwn6CORWarUHfoC U/xbwpovuNTZVAUINY/QMnecOwoz7LvN++IyitkPHSpnFXMubm3DrSjMTP23W4U/ WyZG0vsVVyCvRmIY5MG53VtEdxCMVKF8rdU2jNoJN2tkIXIgyPCIwLJOmfP0tQRP VsE88ojJXyTnEX997zXuJgjn4/9WqrEbxBn5LBRK95bhMwCUqH6OslR6F35kwR9U 3SJsmMZButHc0oLuse+UIEsW3X72OVAWomDX8X4w0LinNSclGpJiFcdJTypX3gpz E8PZtrkWlPe0SRZ5hl7gYF2Bpyn9AA2EV0tm0YAZVkCROzeaG7i2qlBECkAqHjO5 YiOFwp2CrnhTxOB1epoyD4I6EIw0OIFwyFkKulO2LX8cgNVXtK9T2fSKdGCTWPQX LqizEbaL3RZRwqa/5b+M4aMk14NmIRuRAo8eGMtloqD/YX+g1T0DT0+4YdfNXDa/ uqGMQ7iVedo5nvp/Uv0T1Vof5WedpKz1OD3rEWMF5B+6qEIamLwMMsevmafy1wsJ 7LC4RAZEB3Zmzux/3sr5 =Cygr -----END PGP SIGNATURE-----