Bug 47513 – libmspack: Multiple issues (4.3)

Bug 47513 - libmspack: Multiple issues (4.3)


Summary:	libmspack: Multiple issues (4.3)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.3
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.3-1-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-08-08 14:21 CEST by Quality Assurance
Modified:	2018-08-15 13:14 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2018-08-08 14:21:23 CEST

New Debian libmspack 0.5-1.A~4.3.1.201808081421 fixes:
This update addresses the following issue(s):
* 
* mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. (CVE-2017-6419)
* The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file. (CVE-2017-11423)
* An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash). (CVE-2018-14679)
* An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames. (CVE-2018-14680)
* An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite. (CVE-2018-14681)
* An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. (CVE-2018-14682)

0.5-1+deb9u2 (Thu, 02 Aug 2018 19:18:37 +0200) * Non-maintainer upload. * Add security related patches: - 0b0ef9344255 ("kwaj_read_headers(): fix handling of non-terminated strings") CVE-2018-14681 (Closes: 904799). - 4fd9ccaa54e1 ("Fix off-by-one error in chmd TOLOWER() fallback") CVE-2018-14682 (Closes: 904800). - 72e70a921f0f ("Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.") CVE-2018-14679, CVE-2018-14680 (Closes: 904802, 904801).

0.5-1+deb9u1 (Wed, 16 Aug 2017 21:42:50 +0200) * Correct rejection of empty strings. * Fix mis-handling of sys->read() errors in cabd_read_string() (CVE-2017-11423). * Reject negative output length in SpanInfo (CVE-2017-6419)
.
* CVE-2017-6419 libmspack, clamav: heap-based buffer overflow in mspack/lzxd.c (CVE-2017-6419)
* CVE-2017-11423 libmspack, clamav: Stack-based buffer over-read in cabd_read_string function (CVE-2017-11423)
* CVE-2018-14679 libmspack: off-by-one error in the CHM PMGI/PMGL chunk number validity checks (CVE-2018-14679)
* CVE-2018-14680 libmspack: off-by-one error in the CHM chunk number validity checks (CVE-2018-14680)
* CVE-2018-14681 libmspack: Out-of-bounds Write in kwajd_read_headers in mspack/kwajd.c (CVE-2018-14681)
* CVE-2018-14682 libmspack: off-by-one error in the TOLOWER() macro for CHM decompression (CVE-2018-14682)

Comment 1 Quality Assurance

2018-08-08 19:07:20 CEST

--- mirror/ftp/4.3/unmaintained/4.3-0/source/libmspack_0.5-1.A~4.3.0.201711291434.dsc
+++ apt/ucs_4.3-0-errata4.3-1/source/libmspack_0.5-1.A~4.3.1.201808081421.dsc
@@ -1,6 +1,18 @@
-0.5-1.A~4.3.0.201711291434 [Thu, 30 Nov 2017 03:44:23 +0100] Univention builddaemon <buildd@univention.de>:
+0.5-1.A~4.3.1.201808081421 [Wed, 08 Aug 2018 14:21:26 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+0.5-1+deb9u2 [Thu, 02 Aug 2018 19:18:37 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Non-maintainer upload.
+  * Add security related patches:
+    - 0b0ef9344255 ("kwaj_read_headers(): fix handling of non-terminated
+      strings") CVE-2018-14681 (Closes: 904799).
+    - 4fd9ccaa54e1 ("Fix off-by-one error in chmd TOLOWER() fallback")
+      CVE-2018-14682 (Closes: 904800).
+    - 72e70a921f0f ("Fix off-by-one bounds check on CHM PMGI/PMGL chunk
+      numbers and reject empty filenames.") CVE-2018-14679,
+      CVE-2018-14680 (Closes: 904802, 904801).
 
 0.5-1+deb9u1 [Wed, 16 Aug 2017 21:42:50 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 

<http://10.200.17.11/4.3-1/#5068712437307279697>

Comment 2 Philipp Hahn

2018-08-09 09:19:33 CEST

OK: patches
OK: piuparts
OK: yaml
OK: errata-announce libmspack.yaml

[4.3-1] 4682874bf1 Bug #47513: libmspack 0.5-1.A~4.3.1.201808081421
 doc/errata/staging/libmspack.yaml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

Comment 3 Arvid Requate

2018-08-15 13:14:54 CEST

<http://errata.software-univention.de/ucs/4.3/185.html>