Debian Patches

Status for unadf/0.7.11a-6

Patch Description Author Forwarded Bugs Origin Last update
source-code-fixes fix header files no 2012-05-31
64-bit-fixes Patch to make it work on 64 bit. See news from 11 April 2011 on


Slightly modified (and removed the .depend files from the patches)

add-hardening-flags-in-compiler-options Add hardening flags in compiler options Boris Pek <> no 2012-06-19
privacy-breach.patch Remove monitoring from FAQ Stephen Kitt <> no
CVE-2016-1243_CVE-2016-1244 Fix unsafe extraction by using mkdir() instead of shell command This commit fixes following vulnerabilities:

- CVE-2016-1243: stack buffer overflow caused by blindly trusting on
pathname lengths of archived files

Stack allocated buffer sysbuf was filled with sprintf() without any
bounds checking in extracTree() function.

- CVE-2016-1244: execution of unsanitized input

Shell command used for creating directory paths was constructed by
concatenating names of archived files to the end of the command

So, if the user was tricked to extract a specially crafted .adf file,
the attacker was able to execute arbitrary code with privileges of the

This commit fixes both issues by

1) replacing mkdir shell commands with mkdir() function calls
2) removing redundant sysbuf buffer

Tuomas Rsnen <> no 2016-09-20

All known versions for source package 'unadf'