Your message dated Fri, 29 May 2026 08:48:39 +0000
with message-id <[email protected]>
and subject line Bug#1138161: fixed in unace-nonfree 2.5-11
has caused the Debian Bug report #1138161,
regarding unace-nonfree: overlapping strcpy in path processing (CWE-119)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138161: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138161
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unace-nonfree
Version: 2.5-10
Severity: important
Tags: security
unace-nonfree 2.5 has an overlapping strcpy in the archive path processing
function. When processing an archive path containing '&' (0x26), the program
calls strcpy(ptr, ptr + 1) to shift the remaining string left by one byte.
Because source and destination overlap (src = dst + 1), this violates C11
section 7.24.2.3 and constitutes undefined behavior. On glibc 2.43+
(Ubuntu 26.04 / Debian trixie), the SIMD-optimized strcpy produces
observable data corruption in the filename buffer.
Root cause (function at offset 0xe7e0 in the stripped binary):
char *pcVar2 = strchr(param_1, 0x26); // find '&'
if (pcVar2 != NULL) {
strcpy(pcVar2, pcVar2 + 1); // UB: src overlaps dst
}
Trigger: any archive path containing '&', e.g.:
unace-nonfree l '/tmp/test&file.ace'
Reproduction:
python3 -c "
import struct, binascii
body = b'\x00' + struct.pack('<H', 0) + b'**ACE**' + b'\x14\x14\x00\x00'
body += struct.pack('<II', 0, 0) + b'\x00'
body = body.ljust(27, b'\x00')
crc = (binascii.crc32(body) ^ 0xFFFFFFFF) & 0xFFFF
header = struct.pack('<HH', crc, len(body)) + body
open('/tmp/test&file.ace', 'wb').write(header)
"
valgrind --tool=memcheck unace-nonfree l '/tmp/test&file.ace'
Expected valgrind output:
Source and destination overlap in strcpy(0x..., 0x...+1)
Observable data corruption with long paths:
$ unace-nonfree l
'/tmp/a&very_long_archive_name_showing_data_corruption.ace'
processing archive /tmp/a_showing_data_corruption.ace <-- GARBLED
Suggested fix: replace strcpy with memmove(ptr, ptr + 1, strlen(ptr + 1) +
1).
Since this is a binary-only package with no upstream, options include binary
patching, adding a package advisory, or considering removal.
The software is proprietary, authored by e-merge GmbH (defunct ~2000), and
unmaintained. There is no upstream to notify. A CVE ID has been requested
via MITRE CNA-LR.
--- End Message ---
--- Begin Message ---
Source: unace-nonfree
Source-Version: 2.5-11
Done: Fabian Greffrath <[email protected]>
We believe that the bug you reported is fixed in the latest version of
unace-nonfree, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Greffrath <[email protected]> (supplier of updated unace-nonfree package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 29 May 2026 09:49:29 +0200
Source: unace-nonfree
Architecture: source
Version: 2.5-11
Distribution: unstable
Urgency: medium
Maintainer: Fabian Greffrath <[email protected]>
Changed-By: Fabian Greffrath <[email protected]>
Closes: 1110904 1138161
Changes:
unace-nonfree (2.5-11) unstable; urgency=medium
.
* 18-stack-corruption.patch: Do not terminate the converted string
* at the length of original string (Closes: #1110904)
* 28-ub-strcpy.patch: Fix overlapping strcpy in path processing
(Closes: #1138161)
* 20-isatty.diff: Rename to 20-isatty.patch
* Bump Standards-Version to 4.7.4, drop redundant Priority and RRR
fields
* Fix versionless symlink license and update Debian packaging
copyright year
Checksums-Sha1:
e4fb35e0bd452758558a781d367ca2faaddc610c 1910 unace-nonfree_2.5-11.dsc
4c131af43f5c275dac2f348652430c565d462c4d 19792
unace-nonfree_2.5-11.debian.tar.xz
c50ffbaaa7aee8b45b8900822ae8a4dcf2950281 5934
unace-nonfree_2.5-11_amd64.buildinfo
Checksums-Sha256:
04c82770701987ea5b5ef6f0f708787cb92a3743504d3e4ee3cbda9fc5e810fb 1910
unace-nonfree_2.5-11.dsc
bef9055230b92786208f6c64f39c2bd669cbafd2f3e46b5b07fb60bf5d03d5f4 19792
unace-nonfree_2.5-11.debian.tar.xz
875833a27bda27c6bfc65f9737801a5743ca15b776d49c0b745521cd2070d123 5934
unace-nonfree_2.5-11_amd64.buildinfo
Files:
9fbe73752ca5fdd3c50065ed18c772ab 1910 non-free/utils optional
unace-nonfree_2.5-11.dsc
48cb4d27190fe0d74b22eb550dd43a37 19792 non-free/utils optional
unace-nonfree_2.5-11.debian.tar.xz
103ab8ab1bf9f248fce600695f7a620d 5934 non-free/utils optional
unace-nonfree_2.5-11_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAmoZTeESHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnfwjkQALpqsvf6K5rG4rPfwOQE27CjnwXb2W/r
I6K8vHeLzbOdMfDqnbxIcJbWBgJROTrD52/rvAjnzVOWuzRRP3TVBIprSs/c/c7M
REQLpEGuPQ0vLSnP6FTFxkbPLQzauGGmtIPAMOR2Y5kFT6jQviBgglHmTltbQ4Gc
4BfZJOSA9kitKHmIaVYWZcY8Ls63/LAB5L3410uB+FWp/LvzC8FPSb/TzxC0Mjul
9H47un26NV3/U8IsgwKVyN9BjjO8EXCMnk4VAaCsYVs7jVemKefXjWs4tUetDao+
YYrdUSLcTVgnBRmJyF46Xy0YB5g2oSloCEkKIytS8BcknmnCzbvr58jMQpGq7Hik
LTSzYWk7Da6AxrfLDD0YkgT3ZGNBckx/iv32cBTFN7qalQE0ODZnPzmNrRI1hjXP
08eT28VTtPS1k9iFuilpieqhAOI52Cppn0VQ+7ovqxtsjlwRcrC+fKJ/Ju7aVnh3
jCNkTQIWksAtf8+fPSJ64RHlAVK4lA4kWGit1qRLGPKASdetq8ibG28sYBkJzBb/
XztzcoSQ21i/CvArZZ6sBG/LVKmDRy3/lEs2J/l0h9UKzXYTn5pliqDGtaf3kvOh
ouAOZsx6PcwrAUuZEm9T/eFigEnvS2ovD0o0RWKRRq0a9rNDy8tO2/VR2MsdCjMB
ig/eG+ZcU318
=yezy
-----END PGP SIGNATURE-----
pgps0d7CeCcIk.pgp
Description: PGP signature
--- End Message ---
