Univention Bugzilla – Bug 48069
libmspack: Multiple issues (4.2)
Last modified: 2018-11-01 13:56:53 CET
New Debian libmspack 0.5-1.A~18.104.22.168810291349 fixes:
This update addresses the following issues:
* heap-based buffer overflow in mspack/lzxd.c (CVE-2017-6419)
* Stack-based buffer over-read in cabd_read_string function (CVE-2017-11423)
* off-by-one error in the CHM PMGI/PMGL chunk number validity checks (CVE-2018-14679)
* off-by-one error in the CHM chunk number validity checks (CVE-2018-14680)
* Out-of-bounds Write in kwajd_read_headers in mspack/kwajd.c (CVE-2018-14681)
* off-by-one error in the TOLOWER() macro for CHM decompression (CVE-2018-14682)
* In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (CVE-2018-18584)
* chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has '\0' as its first or second character (such as the "/\0" name). (CVE-2018-18585)
@@ -1,7 +1,17 @@
-0.5-1.A~22.214.171.124808101752 [Fri, 10 Aug 2018 18:04:50 +0200] Univention builddaemon <email@example.com>:
+0.5-1.A~126.96.36.199810291349 [Mon, 29 Oct 2018 13:49:46 +0100] Univention builddaemon <firstname.lastname@example.org>:
* UCS auto build. No patches were applied to the original source package
+0.5-1+deb8u3 [Fri, 26 Oct 2018 19:03:02 +0200] Thorsten Alteholz <email@example.com>:
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2018-18584
+ Fixing the size of the CAB block input buffer, which is too small
+ for the maximal Quantum block, prevents an out-of-bounds write.
+ * CVE-2018-18585
+ Blank filenames (having length zero or their 1st or 2nd byte is
+ null) should be rejected.
0.5-1+deb8u2 [Mon, 06 Aug 2018 17:01:04 +0800] Chris Lamb <firstname.lastname@example.org>:
* Non-maintainer upload.
[4.2-5] 0f8da60ced Bug #48069: libmspack 0.5-1.A~188.8.131.52810291349
doc/errata/staging/libmspack.yaml | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)