Bug 47575 - libmspack: Multiple issues (4.2)
libmspack: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-4-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-10 18:04 CEST by Quality Assurance
Modified: 2018-08-15 16:20 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-08-10 18:04:47 CEST
New Debian libmspack 0.5-1.A~4.2.4.201808101752 fixes:
This update addresses the following issues:
* mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. (CVE-2017-6419)
* The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file. (CVE-2017-11423)
* An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash). (CVE-2018-14679)
* An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames. (CVE-2018-14680)
* An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite. (CVE-2018-14681)
* An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. (CVE-2018-14682)

0.5-1+deb8u2 (Mon, 06 Aug 2018 17:01:04 +0800) * Non-maintainer upload. * Add security related patches: - 0b0ef9344255 ("kwaj_read_headers(): fix handling of non-terminated strings") CVE-2018-14681 (Closes: 904799). - 4fd9ccaa54e1 ("Fix off-by-one error in chmd TOLOWER() fallback") CVE-2018-14682 (Closes: 904800). - 72e70a921f0f ("Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.") CVE-2018-14679, CVE-2018-14680 (Closes: 904802, 904801).

0.5-1+deb8u1 (Wed, 16 Aug 2017 21:42:50 +0200) * Correct rejection of empty strings. * Fix mis-handling of sys->read() errors in cabd_read_string() (CVE-2017-11423). * Reject negative output length in SpanInfo (CVE-2017-6419)
.
* CVE-2017-6419 libmspack, clamav: heap-based buffer overflow in mspack/lzxd.c (CVE-2017-6419)
* CVE-2017-11423 libmspack, clamav: Stack-based buffer over-read in cabd_read_string function (CVE-2017-11423)
* CVE-2018-14679 libmspack: off-by-one error in the CHM PMGI/PMGL chunk number validity checks (CVE-2018-14679)
* CVE-2018-14680 libmspack: off-by-one error in the CHM chunk number validity checks (CVE-2018-14680)
* CVE-2018-14681 libmspack: Out-of-bounds Write in kwajd_read_headers in mspack/kwajd.c (CVE-2018-14681)
* CVE-2018-14682 libmspack: off-by-one error in the TOLOWER() macro for CHM decompression (CVE-2018-14682)
Comment 1 Quality Assurance univentionstaff 2018-08-10 18:53:49 CEST
--- mirror/ftp/4.2/unmaintained/4.2-4/source/libmspack_0.5-1.A~4.2.3.201801211553.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/libmspack_0.5-1.A~4.2.4.201808101752.dsc
@@ -1,6 +1,18 @@
-0.5-1.A~4.2.3.201801211553 [Wed, 24 Jan 2018 11:04:08 +0100] Univention builddaemon <buildd@univention.de>:
+0.5-1.A~4.2.4.201808101752 [Fri, 10 Aug 2018 18:04:50 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+0.5-1+deb8u2 [Mon, 06 Aug 2018 17:01:04 +0800] Chris Lamb <lamby@debian.org>:
+
+  * Non-maintainer upload.
+  * Add security related patches:
+    - 0b0ef9344255 ("kwaj_read_headers(): fix handling of non-terminated
+      strings") CVE-2018-14681 (Closes: 904799).
+    - 4fd9ccaa54e1 ("Fix off-by-one error in chmd TOLOWER() fallback")
+      CVE-2018-14682 (Closes: 904800).
+    - 72e70a921f0f ("Fix off-by-one bounds check on CHM PMGI/PMGL chunk
+      numbers and reject empty filenames.") CVE-2018-14679,
+      CVE-2018-14680 (Closes: 904802, 904801).
 
 0.5-1+deb8u1 [Wed, 16 Aug 2017 21:42:50 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 

<http://10.200.17.11/4.2-4/#5001771859201262247>
Comment 2 Philipp Hahn univentionstaff 2018-08-10 19:43:10 CEST
OK: yaml
OK: errata-announce
OK: patch
OK: piuparts

[4.2-4] ce1bb6d138 Bug #47575: libmspack 0.5-1.A~4.2.4.201808101752
 doc/errata/staging/libmspack.yaml | 26 +++++++++-----------------
 1 file changed, 9 insertions(+), 17 deletions(-)

[4.2-4] 47377807b0 Bug #47575: libmspack 0.5-1.A~4.2.4.201808101752
 doc/errata/staging/libmspack.yaml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-08-15 16:20:59 CEST
<http://errata.software-univention.de/ucs/4.2/463.html>