From ${URL} : mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. Upstream patch: https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
libmspack-0.5_alpha-r1 with patch from clamav in repo. I would say it's ready for stabilization. I wonder about relation to bug 625634.
libmspack-0.6_alpha in portage. Please stabilize this one instead. Also see bug 625634.
Freeing CVE-2017-6419 alias to create a tracker bug.
No PoC for ACE/RCE. Downgraded to B3. Cleanup will be tracked in bug #625634