Bug 48069 - libmspack: Multiple issues (4.2)
libmspack: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-5-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-29 13:49 CET by Quality Assurance
Modified: 2018-11-01 13:56 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Debian RedHat


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-10-29 13:49:42 CET
New Debian libmspack 0.5-1.A~4.2.5.201810291349 fixes:
This update addresses the following issues:
* heap-based buffer overflow in mspack/lzxd.c (CVE-2017-6419)
* Stack-based buffer over-read in cabd_read_string function (CVE-2017-11423)
* off-by-one error in the CHM PMGI/PMGL chunk number validity checks  (CVE-2018-14679)
* off-by-one error in the CHM chunk number validity checks (CVE-2018-14680)
* Out-of-bounds Write in kwajd_read_headers in mspack/kwajd.c  (CVE-2018-14681)
* off-by-one error in the TOLOWER() macro for CHM decompression  (CVE-2018-14682)
* In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the  CAB block input buffer is one byte too small for the maximal Quantum block,  leading to an out-of-bounds write. (CVE-2018-18584)
* chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a  filename that has '\0' as its first or second character (such as the "/\0"  name). (CVE-2018-18585)
Comment 1 Quality Assurance univentionstaff 2018-10-29 14:30:34 CET
--- mirror/ftp/4.2/unmaintained/4.2-5/source/libmspack_0.5-1.A~4.2.4.201808101752.dsc
+++ apt/ucs_4.2-0-errata4.2-5/source/libmspack_0.5-1.A~4.2.5.201810291349.dsc
@@ -1,7 +1,17 @@
-0.5-1.A~4.2.4.201808101752 [Fri, 10 Aug 2018 18:04:50 +0200] Univention builddaemon <buildd@univention.de>:
+0.5-1.A~4.2.5.201810291349 [Mon, 29 Oct 2018 13:49:46 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
 
+0.5-1+deb8u3 [Fri, 26 Oct 2018 19:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>:
+
+  * Non-maintainer upload by the LTS Team. 
+  * CVE-2018-18584
+    Fixing the size of the CAB block input buffer, which is too small
+    for the maximal Quantum block, prevents an out-of-bounds write.
+  * CVE-2018-18585
+    Blank filenames (having length zero or their 1st or 2nd byte is
+    null) should be rejected.
+ 
 0.5-1+deb8u2 [Mon, 06 Aug 2018 17:01:04 +0800] Chris Lamb <lamby@debian.org>:
 
   * Non-maintainer upload.

<http://10.200.17.11/4.2-5/#7258585806541760215>
Comment 2 Philipp Hahn univentionstaff 2018-10-29 14:37:00 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.2-5] 0f8da60ced Bug #48069: libmspack 0.5-1.A~4.2.5.201810291349
 doc/errata/staging/libmspack.yaml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-11-01 13:56:53 CET
<http://errata.software-univention.de/ucs/4.2/536.html>