Hi!
On Thu, 2026-05-28 at 21:03:00 +0800, Xiang Chen wrote:
> Package: unace
> Version: 1.2b-26
> Severity: important
> Tags: security
> unace 1.2b has a heap buffer over-read in the ACE archive magic signature
> scanner. The scanner reads input in 1024-byte chunks into a heap buffer
> (malloc(0x400)) and performs 4-byte integer comparisons at every byte offset
> 0 through 1023. At offsets 1021 through 1023, the 4-byte read extends 1 to
> 3 bytes beyond the buffer boundary, reading adjacent heap memory.
>
> The read data is compared against fixed magic constants and discarded on
> mismatch, so information does not leak to the attacker directly. However,
> the read itself is undefined behavior and may cause crashes on hardened
> allocators or ASAN-instrumented builds.
>
> Root cause (function at offset 0x3480 in the stripped binary):
>
> buf = malloc(0x400); // 1024 bytes
> n = read(fd, buf, 0x400); // fill buffer
> for (i = 0; i < 0x400; i++) { // iterates 0..1023
> if (*(uint32_t*)(buf + i) == MAGIC) ... // 4-byte read at buf+i
> }
>
> At i=1021, 1022, 1023: reads 4 bytes starting at buf+1021/1022/1023, which
> extends 1/2/3 bytes past the 1024-byte allocation.
>
> Trigger: processing any file where the ACE magic signature is not found
> within the first 1018 bytes of a scan chunk (includes non-ACE files,
> corrupt archives, and valid archives with padding).
>
> Reproduction:
>
> valgrind --tool=memcheck unace l /dev/null
>
> # Or via Docker:
> docker run --rm ubuntu:26.04 bash -c \
> "apt-get update -qq && apt-get install -y -qq unace valgrind && \
> dd if=/dev/urandom of=/tmp/test.ace bs=2048 count=1 2>/dev/null && \
> valgrind unace l /tmp/test.ace 2>&1 | grep 'Invalid read'"
>
> Expected valgrind output:
> Invalid read of size 4
> at 0x35CC: (in /usr/bin/unace)
> Address 0x... is 0 bytes after a block of size 1,024 alloc'd
>
> Suggested fix: change loop bound from i < 0x400 to i < (0x400 - 3), or
> allocate 4 extra bytes: malloc(0x404).
Thanks for the report, will try to take a look and map that into the
actual source, but if you could do that, it would save me some time.
> Since this is a binary-only package with no upstream, options include binary
> patching, adding a package advisory, or considering removal.
>
> The software is proprietary, authored by e-merge GmbH (defunct ~2000), and
> unmaintained. There is no upstream to notify. A CVE ID has been requested
> via MITRE CNA-LR.
This package is neither proprietary nor binary-only, it contains source
and is free software, that's why it's in the main section of the Debian
archive. In addition there is readily available debug information as part
of the unace-dbgsym binary package, which could have helped with the
missing context here.
Thanks,
Guillem
