Bug 48168 - libmspack: Multiple issues (4.3)
libmspack: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-2-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-19 12:45 CET by Quality Assurance
Modified: 2018-11-21 15:21 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-11-19 12:45:31 CET
New Debian libmspack 0.5-1.A~4.3.2.201811191242 fixes:
This update addresses the following issues:
* heap-based buffer overflow in mspack/lzxd.c (CVE-2017-6419)
* Stack-based buffer over-read in cabd_read_string function (CVE-2017-11423)
* off-by-one error in the CHM PMGI/PMGL chunk number validity checks  (CVE-2018-14679)
* off-by-one error in the CHM chunk number validity checks (CVE-2018-14680)
* Out-of-bounds Write in kwajd_read_headers in mspack/kwajd.c  (CVE-2018-14681)
* off-by-one error in the TOLOWER() macro for CHM decompression  (CVE-2018-14682)
* Out-of-bounds write in mspack/cab.h (CVE-2018-18584)
* chmd_read_headers() fails to reject filenames containing NULL bytes  (CVE-2018-18585)
Comment 1 Quality Assurance univentionstaff 2018-11-19 13:42:45 CET
--- mirror/ftp/4.3/unmaintained/4.3-2/source/libmspack_0.5-1.A~4.3.1.201808081421.dsc
+++ apt/ucs_4.3-0-errata4.3-2/source/libmspack_0.5-1.A~4.3.2.201811191242.dsc
@@ -1,7 +1,17 @@
-0.5-1.A~4.3.1.201808081421 [Wed, 08 Aug 2018 14:21:26 +0200] Univention builddaemon <buildd@univention.de>:
+0.5-1.A~4.3.2.201811191242 [Mon, 19 Nov 2018 12:45:35 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
 
+0.5-1+deb9u3 [Fri, 26 Oct 2018 19:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>:
+
+  * Non-maintainer upload by the LTS Team. 
+  * CVE-2018-18584 (Closes: #911640)
+    Fixing the size of the CAB block input buffer, which is too small
+    for the maximal Quantum block, prevents an out-of-bounds write.
+  * CVE-2018-18585 (Closes: #911637)
+    Blank filenames (having length zero or their 1st or 2nd byte is
+    null) should be rejected.
+ 
 0.5-1+deb9u2 [Thu, 02 Aug 2018 19:18:37 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
   * Non-maintainer upload.

<http://10.200.17.11/4.3-2/#4389772581064432223>
Comment 2 Philipp Hahn univentionstaff 2018-11-19 14:38:54 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.3-2] dc5980d4f6 Bug #48168: libmspack 0.5-1.A~4.3.2.201811191242
 doc/errata/staging/libmspack.yaml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-11-21 15:21:18 CET
<http://errata.software-univention.de/ucs/4.3/319.html>