- Package:
- unace-nonfree
- Source:
- unace-nonfree
- Submitter:
- Xiang Chen
- Date:
- 2026-05-29 08:51:04 UTC
- Severity:
- normal
- Tags:
unace-nonfree 2.5 has an overlapping strcpy in the archive path processing
function. When processing an archive path containing '&' (0x26), the program
calls strcpy(ptr, ptr + 1) to shift the remaining string left by one byte.
Because source and destination overlap (src = dst + 1), this violates C11
section 7.24.2.3 and constitutes undefined behavior. On glibc 2.43+
(Ubuntu 26.04 / Debian trixie), the SIMD-optimized strcpy produces
observable data corruption in the filename buffer.
Root cause (function at offset 0xe7e0 in the stripped binary):
char *pcVar2 = strchr(param_1, 0x26); // find '&'
if (pcVar2 != NULL) {
strcpy(pcVar2, pcVar2 + 1); // UB: src overlaps dst
}
Trigger: any archive path containing '&', e.g.:
unace-nonfree l '/tmp/test&file.ace'
Reproduction:
python3 -c "
import struct, binascii
body = b'\x00' + struct.pack('<H', 0) + b'**ACE**' + b'\x14\x14\x00\x00'
body += struct.pack('<II', 0, 0) + b'\x00'
body = body.ljust(27, b'\x00')
crc = (binascii.crc32(body) ^ 0xFFFFFFFF) & 0xFFFF
header = struct.pack('<HH', crc, len(body)) + body
open('/tmp/test&file.ace', 'wb').write(header)
"
valgrind --tool=memcheck unace-nonfree l '/tmp/test&file.ace'
Expected valgrind output:
Source and destination overlap in strcpy(0x..., 0x...+1)
Observable data corruption with long paths:
$ unace-nonfree l
'/tmp/a&very_long_archive_name_showing_data_corruption.ace'
processing archive /tmp/a_showing_data_corruption.ace <-- GARBLED
Suggested fix: replace strcpy with memmove(ptr, ptr + 1, strlen(ptr + 1) +
1).
Since this is a binary-only package with no upstream, options include binary
patching, adding a package advisory, or considering removal.
The software is proprietary, authored by e-merge GmbH (defunct ~2000), and
unmaintained. There is no upstream to notify. A CVE ID has been requested
via MITRE CNA-LR.
We believe that the bug you reported is fixed in the latest version of
unace-nonfree, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138161@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Greffrath <fabian@debian.org> (supplier of updated unace-nonfree package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 29 May 2026 09:49:29 +0200
Source: unace-nonfree
Architecture: source
Version: 2.5-11
Distribution: unstable
Urgency: medium
Maintainer: Fabian Greffrath <fabian@debian.org>
Changed-By: Fabian Greffrath <fabian@debian.org>
Closes: 1110904 1138161
Changes:
unace-nonfree (2.5-11) unstable; urgency=medium
.
* 18-stack-corruption.patch: Do not terminate the converted string
* at the length of original string (Closes: #1110904)
* 28-ub-strcpy.patch: Fix overlapping strcpy in path processing
(Closes: #1138161)
* 20-isatty.diff: Rename to 20-isatty.patch
* Bump Standards-Version to 4.7.4, drop redundant Priority and RRR
fields
* Fix versionless symlink license and update Debian packaging
copyright year
Checksums-Sha1:
e4fb35e0bd452758558a781d367ca2faaddc610c 1910 unace-nonfree_2.5-11.dsc
4c131af43f5c275dac2f348652430c565d462c4d 19792 unace-nonfree_2.5-11.debian.tar.xz
c50ffbaaa7aee8b45b8900822ae8a4dcf2950281 5934 unace-nonfree_2.5-11_amd64.buildinfo
Checksums-Sha256:
04c82770701987ea5b5ef6f0f708787cb92a3743504d3e4ee3cbda9fc5e810fb 1910 unace-nonfree_2.5-11.dsc
bef9055230b92786208f6c64f39c2bd669cbafd2f3e46b5b07fb60bf5d03d5f4 19792 unace-nonfree_2.5-11.debian.tar.xz
875833a27bda27c6bfc65f9737801a5743ca15b776d49c0b745521cd2070d123 5934 unace-nonfree_2.5-11_amd64.buildinfo
Files:
9fbe73752ca5fdd3c50065ed18c772ab 1910 non-free/utils optional unace-nonfree_2.5-11.dsc
48cb4d27190fe0d74b22eb550dd43a37 19792 non-free/utils optional unace-nonfree_2.5-11.debian.tar.xz
103ab8ab1bf9f248fce600695f7a620d 5934 non-free/utils optional unace-nonfree_2.5-11_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEIsF2SKlSa4TfGRyWy+qOlwzNWd8FAmoZTeESHGZhYmlhbkBk
ZWJpYW4ub3JnAAoJEMvqjpcMzVnfwjkQALpqsvf6K5rG4rPfwOQE27CjnwXb2W/r
I6K8vHeLzbOdMfDqnbxIcJbWBgJROTrD52/rvAjnzVOWuzRRP3TVBIprSs/c/c7M
REQLpEGuPQ0vLSnP6FTFxkbPLQzauGGmtIPAMOR2Y5kFT6jQviBgglHmTltbQ4Gc
4BfZJOSA9kitKHmIaVYWZcY8Ls63/LAB5L3410uB+FWp/LvzC8FPSb/TzxC0Mjul
9H47un26NV3/U8IsgwKVyN9BjjO8EXCMnk4VAaCsYVs7jVemKefXjWs4tUetDao+
YYrdUSLcTVgnBRmJyF46Xy0YB5g2oSloCEkKIytS8BcknmnCzbvr58jMQpGq7Hik
LTSzYWk7Da6AxrfLDD0YkgT3ZGNBckx/iv32cBTFN7qalQE0ODZnPzmNrRI1hjXP
08eT28VTtPS1k9iFuilpieqhAOI52Cppn0VQ+7ovqxtsjlwRcrC+fKJ/Ju7aVnh3
jCNkTQIWksAtf8+fPSJ64RHlAVK4lA4kWGit1qRLGPKASdetq8ibG28sYBkJzBb/
XztzcoSQ21i/CvArZZ6sBG/LVKmDRy3/lEs2J/l0h9UKzXYTn5pliqDGtaf3kvOh
ouAOZsx6PcwrAUuZEm9T/eFigEnvS2ovD0o0RWKRRq0a9rNDy8tO2/VR2MsdCjMB
ig/eG+ZcU318
=yezy
-----END PGP SIGNATURE-----