Package: unace
Version: 1.2b-26
Severity: important
Tags: security
unace 1.2b has a heap buffer over-read in the ACE archive magic signature
scanner. The scanner reads input in 1024-byte chunks into a heap buffer
(malloc(0x400)) and performs 4-byte integer comparisons at every byte offset
0 through 1023. At offsets 1021 through 1023, the 4-byte read extends 1 to
3 bytes beyond the buffer boundary, reading adjacent heap memory.
The read data is compared against fixed magic constants and discarded on
mismatch, so information does not leak to the attacker directly. However,
the read itself is undefined behavior and may cause crashes on hardened
allocators or ASAN-instrumented builds.
Root cause (function at offset 0x3480 in the stripped binary):
buf = malloc(0x400); // 1024 bytes
n = read(fd, buf, 0x400); // fill buffer
for (i = 0; i < 0x400; i++) { // iterates 0..1023
if (*(uint32_t*)(buf + i) == MAGIC) ... // 4-byte read at buf+i
}
At i=1021, 1022, 1023: reads 4 bytes starting at buf+1021/1022/1023, which
extends 1/2/3 bytes past the 1024-byte allocation.
Trigger: processing any file where the ACE magic signature is not found
within the first 1018 bytes of a scan chunk (includes non-ACE files,
corrupt archives, and valid archives with padding).
Reproduction:
valgrind --tool=memcheck unace l /dev/null
# Or via Docker:
docker run --rm ubuntu:26.04 bash -c \
"apt-get update -qq && apt-get install -y -qq unace valgrind && \
dd if=/dev/urandom of=/tmp/test.ace bs=2048 count=1 2>/dev/null && \
valgrind unace l /tmp/test.ace 2>&1 | grep 'Invalid read'"
Expected valgrind output:
Invalid read of size 4
at 0x35CC: (in /usr/bin/unace)
Address 0x... is 0 bytes after a block of size 1,024 alloc'd
Suggested fix: change loop bound from i < 0x400 to i < (0x400 - 3), or
allocate 4 extra bytes: malloc(0x404).
Since this is a binary-only package with no upstream, options include binary
patching, adding a package advisory, or considering removal.
The software is proprietary, authored by e-merge GmbH (defunct ~2000), and
unmaintained. There is no upstream to notify. A CVE ID has been requested
via MITRE CNA-LR.
