Package: unadf Version: 0.7.11a-5 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Dear Maintainer, See upstream ADFLib commit 8e973d7b8945 ("Fix unsafe extraction by using mkdir() instead of shell command") [1]. 'unadf' passes the directory names within an ADF to system() unsanitized. In the most benign failure case, directory names beginning with '-' are interpreted as options to mkdir, and unpacking the ADF fails. Please update unadf to fixed upstream version. [1] https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-12-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unadf depends on: ii libc6 2.36-9+deb12u1 unadf recommends no packages. unadf suggests no packages. -- no debconf information