Debian Bug report logs -
#340842
unalz: buffer overflow when extracting archives
Reported by: metaur@telia.com
Date: Sat, 26 Nov 2005 10:48:02 UTC
Severity: grave
Tags: patch, security
Found in versions unalz/0.52-1, unalz/0.30
Fixed in versions unalz/0.30.1, 0.55-1
Done: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Yooseong Yang <yooseong@debian.org>:
Bug#340842; Package unalz.
(full text, mbox, link).
Acknowledgement sent to metaur@telia.com:
New Bug report received and forwarded. Copy sent to Yooseong Yang <yooseong@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Subject: unalz: buffer overflow when extracting archives
Package: unalz
Version: 0.52-1
Severity: grave
Justification: user security hole
Tags: security patch sarge etch sid
Hello,
I have found a buffer overflow security vulnerability in unalz. It
occurs when it extracts malicious ALZ archives.
I have attached the archives oflow333.alz (for sarge) and oflow1621.alz
(for testing and unstable), as well as the program alzgen.pl that
generated them and a patch that corrects this issue.
It is also possible to upgrade to the latest upstream version 0.53,
which also corrects it.
// Ulf Härnhammar, Debian Security Audit Project
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages unalz depends on:
ii libc6 2.3.5-8 GNU C Library: Shared libraries an
ii libgcc1 1:4.0.2-2 GCC support library
ii libstdc++6 4.0.2-2 The GNU Standard C++ Library v3
unalz recommends no packages.
-- no debconf information
[oflow333.alz (application/octet-stream, attachment)]
[oflow1621.alz (application/octet-stream, attachment)]
[alzgen.pl (text/x-perl, attachment)]
[unalz.oflow.patch (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Yooseong Yang <yooseong@debian.org>:
Bug#340842; Package unalz.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Yooseong Yang <yooseong@debian.org>.
(full text, mbox, link).
Message #10 received at 340842@bugs.debian.org (full text, mbox, reply):
Hi,
this has been assigned CVE-2005-3862, please mention it in the changelog
when fixing it.
Cheers,
Moritz
Bug marked as found in version 0.30.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags removed: etch, sarge, sid
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to metaur@telia.com:
Bug acknowledged by developer.
(full text, mbox, link).
Message #19 received at 340842-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 0.30.1
This bug was fixed in a security upload to stable; marking as closed in that
version.
The changelog entry for this upload was:
unalz (0.30.1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Fix buffer overflow in file name handling, discovered by Ulf Härnhammar
(CVE-2005-3862)
The bug appears to still apply to the version of the package in unstable,
and is marked as such.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Yooseong Yang <yooseong@debian.org>:
Bug#340842; Package unalz.
(full text, mbox, link).
Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Yooseong Yang <yooseong@debian.org>.
(full text, mbox, link).
Message #24 received at 340842@bugs.debian.org (full text, mbox, reply):
> This bug was fixed in a security upload to stable; marking as closed in that
> version.
>
> The bug appears to still apply to the version of the package in unstable,
> and is marked as such.
The bug looks closed to me.
// Ulf
--
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com
Powered by Outblaze
Bug reopened, originator not changed.
Request was from "Ulf Harnhammar" <metaur@operamail.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 0.30.1, send any further explanations to metaur@telia.com
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Yooseong Yang <yooseong@debian.org>:
Bug#340842; Package unalz.
(full text, mbox, link).
Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Yooseong Yang <yooseong@debian.org>.
(full text, mbox, link).
Message #33 received at 340842@bugs.debian.org (full text, mbox, reply):
> > The bug appears to still apply to the version of the package in unstable,
> > and is marked as such.
>
> The bug looks closed to me.
It still looks closed (in all versions) to me. Are you sure that that is what you want, instead of - say - fixing it?
// Ulf
--
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com
Powered by Outblaze
Information forwarded to debian-bugs-dist@lists.debian.org, Yooseong Yang <yooseong@debian.org>:
Bug#340842; Package unalz.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Yooseong Yang <yooseong@debian.org>.
(full text, mbox, link).
Message #38 received at 340842@bugs.debian.org (full text, mbox, reply):
On Thu, Mar 16, 2006 at 06:44:49PM +0100, Ulf Harnhammar wrote:
> > > The bug appears to still apply to the version of the package in unstable,
> > > and is marked as such.
> >
> > The bug looks closed to me.
> It still looks closed (in all versions) to me. Are you sure that that is
> what you want, instead of - say - fixing it?
http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=unalz&dist=unstable
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to metaur@telia.com:
Bug acknowledged by developer.
(full text, mbox, link).
Message #43 received at 340842-done@bugs.debian.org (full text, mbox, reply):
Version: 0.55-1
On Thu, Mar 16, 2006 at 10:35:33AM -0800, Steve Langasek wrote:
>> It still looks closed (in all versions) to me. Are you sure that that is
>> what you want, instead of - say - fixing it?
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=unalz&dist=unstable
This was fixed in a QA upload a while ago (0.55-1), since upstream 0.53 fixed
it; the changelog missed it, though. I've verified that the code does indeed
contain the patch given in the patch log, so I'm marking it as closed.
/* Steinar */
--
Homepage: http://www.sesse.net/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 09:09:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:42:49 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon