I have found multiple security vulnerabilities in unace-1.2b. (It is the last free version. The later versions are just binaries for the x86 processor, which is unhelpful if you want to use free software or if your computer has a non-x86 processor.) There are two buffer overflows when extracting, testing or listing specially prepared ACE archives. They are caused by wrong usage of strncpy() with the third parameter coming from the archive. In both cases, the attacker controls the EIP register. There are also two buffer overflows when (a) dealing with long (>15600 characters) command line arguments for archive names, and (b) when preparing a string for printing Ready for next volume messages. Furthermore, there are directory traversal bugs when extracting ACE archives. They are both of the absolute ("/etc/nologin") and the relative ("../../../../../../../etc/nologin") type. All buffer overflows have the identifier CAN-2005-0160, and the directory traversal bugs have the identifier CAN-2005-0161. I have attached a ZIP archive containing some test archives and a patch. I wrote a small Perl script to create the test archives, after having read ACE.txt. I didn't have the time to create archives that work on unace-2.x, so I haven't really tested whether later versions of unace are vulnerable to any of these bugs. The vendor and the distributors have been contacted, and the 22nd of February was agreed upon as the release date. // Ulf Härnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/ Run this to get my new e-mail address: lynx -source http://slashdot.org/ | head -n1 | sed -e 's%".*$%%' \ -e 'y%TC!%aa#%' -e 's%UB%te%g' -e 'y%