unadf: CVE-2016-1243 and CVE-2016-1244

Debian Bug report logs - #838248
unadf: CVE-2016-1243 and CVE-2016-1244

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: unadf: CVE-2016-1243 and CVE-2016-1244

Date: Sun, 18 Sep 2016 22:42:25 -0400

Source: unadf
Version: 0.7.11a-3
Severity: important
Tags: security patch

Hi,

Tuomas Räsänen discovered the following vulnerabilities for unadf.

CVE-2016-1243[0]: stack buffer overflow caused by blindly trusting on pathname 
lengths of archived files.
CVE-2016-1244[1]: execution of unsanitized input

The patch is available here: 
  http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1243
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1243
[1] https://security-tracker.debian.org/tracker/CVE-2016-1244
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1244

Message #14 received at 838248@bugs.debian.org (full text, mbox, reply):

From: Tuomas Räsänen <tuomasjjrasanen@tjjr.fi>

To: 838248@bugs.debian.org

Subject: unadf: details of CVE-2016-1243 and CVE-2016-1244

Date: Mon, 19 Sep 2016 22:39:37 +0300

Hi,

Here's details of these vulnerabilities for the curious:

CVE-2016-1243
=============

  void extractTree(struct Volume *vol, struct List* tree, char *path, unsigned char *extbuf,
                   BOOL pflag, BOOL qflag)
  {
      struct Entry* entry;
      char *buf;
      char sysbuf[200];
  
      while(tree) {
          entry = (struct Entry*)tree->content;
          if (entry->type==ST_DIR) {
              buf = NULL;
              if (strlen(path)>0) {
                  buf=(char*)malloc(strlen(path)+1+strlen(entry->name)+1);
                  if (!buf) return;
                      sprintf(buf,"%s%c%s",path,DIRSEP,entry->name);
                      sprintf(sysbuf,"%s %s",MKDIR,buf);

Here, sysbuf can be caused to overflow for example by giving an .adf
archive which has a file with very long name and/or path.

CVE-2016-1244
=============

When unadf extracts .adf file, it creates directory paths by executing
mkdir via system(), but does not sanitize pathname strings in any
way. If the user can be tricked to extract specially crafted .adf
file, the attacker can execute arbitrary code with privileges of the
user.

As a proof of concept, I have crafted a file which executes 'ls' when
unpacked by vulnerable unadf: http://tmp.tjjr.fi/boom.adf

Action log:

  $ unadf boom.adf
  unADF v1.0 : a unzip like for .ADF files, powered by ADFlib (v0.7.11a - January 20th, 2007)

  Device : Floppy DD. Cylinders = 80, Heads = 2, Sectors = 11. Volumes = 1
  Volume : Floppy 880 KBytes, "Work" between sectors [0-1759]. OFS . Filled at 0.3%.

  x - somedir;ls/
  adflib.dsw    AUTHORS.txt  boom.adf  CHANGES.txt  debian  Docs        dynunadf.dsp  FilesToInstall  Lib       README.txt  somedir        staticunadf.dsp
  adfwrapper.h  Bin          Boot      COPYING.txt  Demo    dynlib.dsp  Faq           gen_spec.sh     Makefile  snip.c      staticlib.dsp


--
Tuomas

Message #19 received at 838248-close@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: 838248-close@bugs.debian.org

Subject: Bug#838248: fixed in unadf 0.7.11a-4

Date: Sat, 24 Sep 2016 20:14:15 +0000

Source: unadf
Source-Version: 0.7.11a-4

We believe that the bug you reported is fixed in the latest version of
unadf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838248@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated unadf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 24 Sep 2016 11:43:06 -0400
Source: unadf
Binary: unadf
Architecture: source amd64
Version: 0.7.11a-4
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description:
 unadf      - Extract files from an Amiga Disk File dump (.adf)
Closes: 838248
Changes:
 unadf (0.7.11a-4) unstable; urgency=high
 .
   * Orphan package with security issues.
   * Tuomas Räsänene discoveried two security issues (Closes: #838248):
     - CVE-2016-1243: stack buffer overflow caused by blindly trusting on
     pathname lengths of archived files.
     - CVE-2016-1244: execution of unsanitized input.
   * Standards-Version: 3.9.8
Checksums-Sha1:
 1ca4a450211d82969428bb13925a7aac4ffb5be4 1695 unadf_0.7.11a-4.dsc
 15a18d20546e0bbde7a9578987897da87ecaa9b8 17924 unadf_0.7.11a-4.debian.tar.xz
 67608a6e5488bee556cdf127bda5dbce8d0dd41b 71318 unadf-dbgsym_0.7.11a-4_amd64.deb
 5505b8917f7cd2c19d040bbcb76e1fefd369f8af 111052 unadf_0.7.11a-4_amd64.deb
Checksums-Sha256:
 925bce8be8fd58e30b24f1bdbe6b295e70fa7a1516d77f87ddadd6fe5f99f047 1695 unadf_0.7.11a-4.dsc
 ff8873027d330cf3f87876149bd00fe737e0e9885debdda44ce6e3d27257eca3 17924 unadf_0.7.11a-4.debian.tar.xz
 cbc5cca895055beddc23413363cbb4be10ff040f728f611cb377875057f92115 71318 unadf-dbgsym_0.7.11a-4_amd64.deb
 a28f29a4854fea1738f3f2faf1587fd4a966afdbbc04a26f9050bb40cafd85df 111052 unadf_0.7.11a-4_amd64.deb
Files:
 1ec6937000c5283fdbc33be85e4f6084 1695 utils optional unadf_0.7.11a-4.dsc
 042fd96d51e94e880e88f3adfbb01c03 17924 utils optional unadf_0.7.11a-4.debian.tar.xz
 235bb4a1c9bba4bcc7f4343567c29d6a 71318 debug extra unadf-dbgsym_0.7.11a-4_amd64.deb
 451348e43e3777bd8a3ab5bd19d534ec 111052 utils optional unadf_0.7.11a-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX5sW1AAoJEG7C3vaP/jd0iqIP/1eRKv65uXJrbhjag032SZA7
3ZYps+eco77DaqeJgkTKalE+c1F8JA4kSU0x05JpPz9uthrDyJqb2tAMlAdnoQBW
B+G/mTB0xtKP3uRR4aNm0L22WrA9t3oMGVcsIcAGW/ZbER+8dE6HZIw/vcrG5qQl
zxotWfSHl+8+HI5gFO367Z6547Xe1qtXaBVbAFGt/0fRGaq5Y93tiNHk7KoEWoGm
oUKg4vTWAr/vdHKOwUeRcFi8jY9O/PShfK4Kb5MJMyO28yczBq2vOHQTM83bGWOk
yN0EtRveIVv4d15c/8P2nzfzJ006srACIPL+d5pcmF+kaA3jTDt+vwdjZLg5kOFs
3DbCxKbWu1mxebg1nXjHj1sHCMkJophAujlj4pjT2TuMi/e0gpjemAAit67EBrwL
EXxESn5z8+q+AxH1d64VeIvasxl8NZ+ReLjHuIWf8UgyGaMeoDoJ5fc19rqk7O8g
5gYxdJM29cYjx+CMIzUHDltZWMaM/j5Q51C7ZeIZmz1P3YhvBk9PS8W/kKz/I6iZ
g8MFZZbyaP5wn9cfRFwsP0pqJFtXWAMpPjGaame7/g7h43aBLvbDol1QVte4BxwB
sQu/7ppFEc+mqUrwfskc7lBaFqCLtkj3m2bsJykZzPlnqhrZt7/HOTk7sEM5NGd5
Ev9b075TNawbfPMdWrKL
=y27H
-----END PGP SIGNATURE-----

Message #24 received at 838248-close@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: 838248-close@bugs.debian.org

Subject: Bug#838248: fixed in unadf 0.7.11a-3+deb8u1

Date: Mon, 03 Oct 2016 22:03:46 +0000

Source: unadf
Source-Version: 0.7.11a-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
unadf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838248@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated unadf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Sep 2016 23:11:18 -0400
Source: unadf
Binary: unadf
Architecture: source amd64
Version: 0.7.11a-3+deb8u1
Distribution: stable-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description:
 unadf      - Extract files from an Amiga Disk File dump (.adf)
Closes: 838248
Changes:
 unadf (0.7.11a-3+deb8u1) stable-security; urgency=high
 .
   * Orphaned package with security issues.
   * Tuomas Räsäne discoveried two security issues (Closes: #838248):
     - CVE-2016-1243: stack buffer overflow caused by blindly trusting on
     pathname lengths of archived files.
     - CVE-2016-1244: execution of unsanitized input.
Checksums-Sha1:
 a9833a042a8124bfdbe6c305b79b63a419258c96 1723 unadf_0.7.11a-3+deb8u1.dsc
 63c05f97302ff67f5d7ff2d9e33f9a66196f9578 209458 unadf_0.7.11a.orig.tar.gz
 d7a189f0824ddc05cbe13dde8ba7280bc0c2ae91 19368 unadf_0.7.11a-3+deb8u1.debian.tar.xz
 330193a8f503a1666a6294c0bec3c52b298c8f7e 111122 unadf_0.7.11a-3+deb8u1_amd64.deb
Checksums-Sha256:
 cdf0531de6b73dfe4ab7f4d9a0886ae4b2565d4f5f5a48fb1db3bf0953c1319b 1723 unadf_0.7.11a-3+deb8u1.dsc
 fa9e0e34b1b0f4f4287905a3d485e3bba498451af98d6c12be87ab3a2b436471 209458 unadf_0.7.11a.orig.tar.gz
 6aa90a89df12f712098d62213eb35c2d4195bfbea389af4936d8a74f6f6b78bc 19368 unadf_0.7.11a-3+deb8u1.debian.tar.xz
 a30718e98459f6c3b2d292cdf67115dba3f77c26b6e5530c1b244daec20d018d 111122 unadf_0.7.11a-3+deb8u1_amd64.deb
Files:
 09671a48add8e2d1998572c1f28fd258 1723 utils optional unadf_0.7.11a-3+deb8u1.dsc
 63c21eeb61e1473d8dd214e0b39cb819 209458 utils optional unadf_0.7.11a.orig.tar.gz
 01bc54dc8cce49609bf509dfd6182ded 19368 utils optional unadf_0.7.11a-3+deb8u1.debian.tar.xz
 388dd0e716d5bb36096a1217609b38dd 111122 utils optional unadf_0.7.11a-3+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX5shEAAoJEG7C3vaP/jd0VVMQAI3I7PjzwtpBxz8iGaIYCkHq
1JwEQGcO8QsEdekVfb8aWVan2xOIBw0rfgA3HHa8l8EwA6EInAdNOBhF/TxwMo5P
5myXhOyMj5LBsgT+7V4BRaoH9wM4TEP/K6EW5hpd1RHiZWdUni2B0zijelz8pzcf
VtwiVIZCkdblWIjqnxeeU1rQNvUBXkVU1/EDOZlg/ePzySQSXFDFT5JVkbbPGAVW
EMIJC6j5GeN06bFi6fN7wZlK3kVTzmrgBNQZitMHuMC9Cjdah5RzPmh/vyU6Za+v
alzvkLDNdn6R4J2sgtf3Eg5ol6FNjGKZDIbd5PfI/q3KWj1R+wWA/01DRur3yP+Y
c+cQi+4SpXlXOYYSnOC2x9qJvAt47T5lXfaPXQ2q00wPckch4nUegxn0qCUExS+U
Bnx+6fngdqVdCQGmJjo4qEcDQEdhUFEYURis0E3VLQP8afk+slu8xaFeWAS2APMg
umYCLRhmqENh4UvbXDeyaluqG/P2/yAqpFb4/sGJZZIPsM1reaIltSMc0S6eSpSl
kTkQmk1eyP46ixbgCKF5rHvu9vL316Q6twBNRlG4SYj14O/HJM0filbNJN9MJvfN
3AeKqG6JQ6ytQcpP1z0GUP+ZRvA6TZIXUmXrjG8FKmZzie8xtt0FHPEuGLEcwPN6
Q9jQBp5ThZ5Bb4bOsWbp
=Mc7h
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.