Overview
A buffer overflow in the unace compression library may allow a remote attacker to execute arbitrary code.
Description
The unace compression library is used to decompress ace archives (*.ace file extension). A lack of input validation on filenames in an ace archive may allow a buffer overflow to occur. If an attacker supplies the unace library with a specially crafted compressed ace archive, that attacker may be able to trigger the buffer overflow and, consequently, execute arbitrary code with the privileges of the application linked to unace. |
Impact
If a remote attacker can convince a user to access a specially crafted ace archive, that attacker may be able to execute arbitrary code. In addition, this vulnerability may prevent security software, such as anti-virus software, from detecting a malicious ace archive. |
Solution
Apply patches from your vendor The unace compression library is freely available and used by many vendors in a wide variety of applications. As a result, any one of these applications may contain this vulnerability. Users are encouraged to contact their vendors to determine if they are vulnerable and what action to take. |
Do not accept ace archives from untrusted sources |
Vendor Information
FreeBSD, Inc. Affected
Notified: September 21, 2005 Updated: October 03, 2005
Status
Affected
Vendor Statement
unace is available in the FreeBSD Ports Collection. Please see
http://vuxml.freebsd.org/1d3a2737-7eb7-11d9-acf7-000854d03344.html
for details regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Gentoo Linux Affected
Updated: October 21, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see http://www.gentoo.org/security/en/glsa/glsa-200502-32.xml
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Affected
Notified: September 21, 2005 Updated: September 23, 2005
Status
Affected
Vendor Statement
Vulnerable versions of unace were available from NetBSD's pkgsrc 3rd party software system. The affected versions have been marked as vulnerable. Users running the audit-packages tool have already been notified.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
SUSE Linux Affected
Notified: September 21, 2005 Updated: September 26, 2005
Status
Affected
Vendor Statement
We are affected by this problem and have released updates for this issue on 16th of June 2005.
They are referenced in our Summary Report 2005-16 under this URL: http://www.novell.com/linux/security/advisories/2005_16_sr.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apple Computer, Inc. Not Affected
Notified: September 21, 2005 Updated: October 28, 2005
Status
Not Affected
Vendor Statement
Apple does not ship unace in any products.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Debian Linux Not Affected
Notified: September 21, 2005 Updated: September 26, 2005
Status
Not Affected
Vendor Statement
Debian has fixed this problem in February already so there are no vulnerable versions left in the archive. It has been fixed in version 1.2b-3.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
F-PROT by FRISK Software International Not Affected
Notified: September 21, 2005 Updated: September 23, 2005
Status
Not Affected
Vendor Statement
F-Prot Antivirus does not use this library/program to extract the contents of .ACE archives. As far as we can tell from a code review of our own ACE unpacker then F-Prot Antivirus is not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hitachi Not Affected
Notified: September 21, 2005 Updated: September 22, 2005
Status
Not Affected
Vendor Statement
Hitachi HI-UX/WE2 and Hitachi's middle software products are NOT Vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Mandriva, Inc. Not Affected
Notified: September 21, 2005 Updated: September 28, 2005
Status
Not Affected
Vendor Statement
Hi, Jeff. No Mandriva product ships with the unace program so Mandriva is not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Nokia Not Affected
Notified: September 21, 2005 Updated: September 26, 2005
Status
Not Affected
Vendor Statement
No Nokia Enterprise Solutions products are affected by VU#215006.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Openwall GNU/*/Linux Not Affected
Notified: September 21, 2005 Updated: September 22, 2005
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux is not vulnerable. We do not package unace.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Red Hat, Inc. Not Affected
Notified: September 21, 2005 Updated: September 26, 2005
Status
Not Affected
Vendor Statement
No Red Hat products contain unace.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Aladdin Knowledge Systems Unknown
Notified: September 21, 2005 Updated: September 23, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Avast! Antivirus Software Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Check Point Software Technologies Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Command Software Systems Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Computer Associates Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Cray Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
CyberSoft, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
DataFellows Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
EMC, Inc. (formerly Data General Corporation) Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
F-Secure Corporation Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
F5 Networks, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Finjan Software Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fortinet, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fujitsu Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
GFI Software, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation (zseries) Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM eServer Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Immunix Communications, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ingrian Networks, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Juniper Networks, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Mandriva, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
MessageLabs Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft Corporation Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NEC Corporation Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Novell, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
OpenBSD Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Proland Software, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
QNX, Software Systems, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sequent Computer Systems, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sony Corporation Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sophos, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sun Microsystems, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Symantec, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The SCO Group (SCO Linux) Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The SCO Group (SCO Unix) Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Trendmicro Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Trustix Secure Linux Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Turbolinux Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Unisys Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Wind River Systems, Inc. Unknown
Notified: September 21, 2005 Updated: September 21, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://lists.grok.org.uk/pipermail/full-disclosure/2005-February/031908.html
- http://lists.suse.com/archive/suse-security-announce/2005-Jun/0006.html
- http://secunia.com/advisories/14359/
- http://securitytracker.com/alerts/2005/Jul/1014544.html
- http://secunia.com/advisories/15776/
- http://secunia.com/advisories/15674/
Acknowledgements
This vulnerability was reported by Ulf Harnhammar.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2005-0160 |
| Severity Metric: | 4.50 |
| Date Public: | 2005-02-22 |
| Date First Published: | 2005-09-21 |
| Date Last Updated: | 2005-10-28 18:05 UTC |
| Document Revision: | 59 |