Univention Bugzilla – Bug 47513
libmspack: Multiple issues (4.3)
Last modified: 2018-08-15 13:14:54 CEST
New Debian libmspack 0.5-1.A~4.3.1.201808081421 fixes: This update addresses the following issue(s): * * mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. (CVE-2017-6419) * The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file. (CVE-2017-11423) * An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash). (CVE-2018-14679) * An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames. (CVE-2018-14680) * An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite. (CVE-2018-14681) * An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. (CVE-2018-14682) 0.5-1+deb9u2 (Thu, 02 Aug 2018 19:18:37 +0200) * Non-maintainer upload. * Add security related patches: - 0b0ef9344255 ("kwaj_read_headers(): fix handling of non-terminated strings") CVE-2018-14681 (Closes: 904799). - 4fd9ccaa54e1 ("Fix off-by-one error in chmd TOLOWER() fallback") CVE-2018-14682 (Closes: 904800). - 72e70a921f0f ("Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.") CVE-2018-14679, CVE-2018-14680 (Closes: 904802, 904801). 0.5-1+deb9u1 (Wed, 16 Aug 2017 21:42:50 +0200) * Correct rejection of empty strings. * Fix mis-handling of sys->read() errors in cabd_read_string() (CVE-2017-11423). * Reject negative output length in SpanInfo (CVE-2017-6419) . * CVE-2017-6419 libmspack, clamav: heap-based buffer overflow in mspack/lzxd.c (CVE-2017-6419) * CVE-2017-11423 libmspack, clamav: Stack-based buffer over-read in cabd_read_string function (CVE-2017-11423) * CVE-2018-14679 libmspack: off-by-one error in the CHM PMGI/PMGL chunk number validity checks (CVE-2018-14679) * CVE-2018-14680 libmspack: off-by-one error in the CHM chunk number validity checks (CVE-2018-14680) * CVE-2018-14681 libmspack: Out-of-bounds Write in kwajd_read_headers in mspack/kwajd.c (CVE-2018-14681) * CVE-2018-14682 libmspack: off-by-one error in the TOLOWER() macro for CHM decompression (CVE-2018-14682)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/libmspack_0.5-1.A~4.3.0.201711291434.dsc +++ apt/ucs_4.3-0-errata4.3-1/source/libmspack_0.5-1.A~4.3.1.201808081421.dsc @@ -1,6 +1,18 @@ -0.5-1.A~4.3.0.201711291434 [Thu, 30 Nov 2017 03:44:23 +0100] Univention builddaemon <buildd@univention.de>: +0.5-1.A~4.3.1.201808081421 [Wed, 08 Aug 2018 14:21:26 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +0.5-1+deb9u2 [Thu, 02 Aug 2018 19:18:37 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: + + * Non-maintainer upload. + * Add security related patches: + - 0b0ef9344255 ("kwaj_read_headers(): fix handling of non-terminated + strings") CVE-2018-14681 (Closes: 904799). + - 4fd9ccaa54e1 ("Fix off-by-one error in chmd TOLOWER() fallback") + CVE-2018-14682 (Closes: 904800). + - 72e70a921f0f ("Fix off-by-one bounds check on CHM PMGI/PMGL chunk + numbers and reject empty filenames.") CVE-2018-14679, + CVE-2018-14680 (Closes: 904802, 904801). 0.5-1+deb9u1 [Wed, 16 Aug 2017 21:42:50 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: <http://10.200.17.11/4.3-1/#5068712437307279697>
OK: patches OK: piuparts OK: yaml OK: errata-announce libmspack.yaml [4.3-1] 4682874bf1 Bug #47513: libmspack 0.5-1.A~4.3.1.201808081421 doc/errata/staging/libmspack.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
<http://errata.software-univention.de/ucs/4.3/185.html>