*** stack smashing detected ***: /usr/bin/unace terminated

Can you make the ace archive available?

Unfortuneately I cannot do that at this moment.

Is there any way, I can debug this further without providing the full ace archive?
If I can find the section of the ace archive that is causing the crash, maybe I can create an ace archive that will do.

Can you run apport on the crash file (check if one exists in /var/crash/) so we can get a backtrace or provide a useful backtrace yourself?

There is no crash file for this binary in /var/crash.
However, I found this: http://www.debian-administration.org/articles/408

I have tried to run the unace binary in gdb, but for some reason this does not work.

Is this symptom still reproducible in 8.10?

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to New. Thanks again!.

I have been able to recreate the problem on several ace files using package unace-nonfree, but not when using package unace.
Is it possible that the bug was actually detected by using unrar-nonfree?

The good news is I managed to find the problem and have attached the patch for unace-free.

As you were able to reproduce this, can you give steps how to build an archive to reproduce this? Or even attach one?

Here is a tiny archive with one file in it. The file name is very long, triggering the buffer overrun.

(I created it on a windows machine using winace, not sure if we can create ace archives under unix)

P Stahlman, I am unable to crash unace using your reproducer. I tried on both hardy and karmic on amd64 (perhaps this is i386 specific?). Eg:
$ unace x ./acev2.ace
UNACE v1.2 public version

Processing archive: ./acev2.ace

Authenticity Verification:
created on 16.11.2009 by *UNREGISTERED VERSION*

New Text sdjkjhdsf ds skdshf hkjds hfjhds fkhds kfjh dskjhf dskjhf kjhds fkj hdskfjh skjfdh kjhds kjfhsd fkjh skjfdh kj hkj hkjh sdfh kj hkdsjfh kj hksjdhf hj kj hsdkjf hdskjf hsdfkjh sdf h Docu.txt.txt
 Extracting
File compressed with unknown method. Decompression not possible.

Error occurred

Can you give the exact steps to reproduce the problem?

I can reproduce this crash with unace-nonfree (but not with unace) on amd64. So this bug should be reassigned to unace-nonfree.

Extracting works (unace x acev2.ace), but listing the contents crashes:
$ unace l ./acev2.ace

UNACE v2.5 Copyright by ACE Compression Software May 12 2008 17:02:03

processing archive /tmp/./acev2.ace
created on 16.11.2009 with ver 2.0 by
*UNREGISTERED VERSION*
Contents of archive acev2.ace

  Date Time Packed Size Ratio File

16.11.09 21:02 264 35264 0% /..skjf hsdfkjh sdf h Docu.txt.txt*** stack smashing detected ***: /usr/bin/unace terminated
Segmentation fault

(gdb) bt
#0 0x00007ffff7868c27 in ?? () from /lib/libgcc_s.so.1
#1 0x00007ffff786948b in _Unwind_Backtrace () from /lib/libgcc_s.so.1
#2 0x00007ffff7b6773e in backtrace () from /lib/libc.so.6
#3 0x00007ffff7adbcab in ?? () from /lib/libc.so.6
#4 0x00007ffff7b675f7 in __fortify_fail () from /lib/libc.so.6
#5 0x00007ffff7b675c0 in __stack_chk_fail () from /lib/libc.so.6
#6 0x000000000040c9dd in APPS_EXE_ACEFUNCS_List (Verbose=0)
    at source/apps/exe/acefuncs/acefuncs.c:146
#7 0x6b206a6820666864 in ?? ()
[...]

Comment #8 is wrong, the last part should read:

"Is it possible that the bug was actually detected by using unace-nonfree?

The good news is I managed to find the problem and have attached the patch for unace-nonfree."

As Michael states in #12, it is the listing of the archive that fails, not the extraction.

We have a test case and a patch which I have verified. Do we need anything else to proceed with this?

Thanks for working up this patch!

This has been fixed in Debian and the fixed version will appear soon in Lucid. If an updated version for earlier releases (except Hardy) is desired, please follow the instructions here: https://wiki.ubuntu.com/StableReleaseUpdates

For Hardy, since the stack overflow is not caught by the FORTIFY options, the security sponsorship process should be followed: https://wiki.ubuntu.com/SponsorshipProcess

This bug was fixed in the package unace-nonfree - 2.5-6

---------------
unace-nonfree (2.5-6) unstable; urgency=low

  * Updated my email address.
  * Bumped Standards-Version to 3.8.3.
  * Removed duplicate binary control field "section".
  * Added debian/README.source file.
  * Fixed Debian packaging copyright information.
  * debian/patches/13-maximum-file-name-length.dpatch: New patch,
    increase buffer to cater for maximum file name length (LP: #179684).
  * Added debian/watch file.
 -- Ubuntu Archive Auto-Sync <email address hidden> Fri, 05 Feb 2010 17:09:52 +0000

Thank you for reporting this bug and helping to make Ubuntu
better. The package referred to in this bug is in universe or multiverse
and reported against a release of Ubuntu (hardy) which no longer receives updates
outside of the explicitly supported LTS packages. While the bug against 179684:unace-nonfree:hardy is being
marked "Won't Fix" for now, if you are interested feel free to post a
debdiff for this issue. When a debdiff is available, members of the security
team will review it and publish the package. See the following link for more
information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.