Bug 669280 (CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)

Summary:	<dev-libs/libmspack-0.9.1_alpha-r1, app-arch/cabextract-1.9-r2: multiple vulnerabilities (CVE-2018-{18584,18585,18586})
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	fonts, reavertm
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.openwall.com/lists/oss-security/2018/10/22/1
Whiteboard:	B2 [glsa+ cve]
Package list:	dev-libs/libmspack-0.9.1_alpha-r1 app-arch/cabextract-1.9-r2	Runtime testing required:	---
Bug Depends on:	670478
Bug Blocks:

Description Hanno Böck gentoo-dev

2018-10-22 06:20:14 UTC

From upstream:

* if a CAB file has a Quantum-compressed datablock with exactly 38912 
compressed bytes, cabextract will write exactly one byte beyond its 
input buffer.

This affects both cabextract and libmspack. Fixes in cabextract 1.8 and libmspack 0.8alpha.

Also from libmspack this:
* chmextract now protects you from absolute/relative pathnames in CHM files

sounds like a directory traversal vuln.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2018-10-24 16:15:34 UTC

app-arch/cabextract is currently bundling dev-libs/libmspack. We will stop bundling once https://github.com/kyz/libmspack/issues/20 is solved. Once this is done we can start stabilizing new cabextract and libmspack version.

Comment 2 Larry the Git Cow gentoo-dev

2018-11-06 02:12:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=052405702013032edf4686bad9a541a737e681cc

commit 052405702013032edf4686bad9a541a737e681cc
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-11-06 02:12:11 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-11-06 02:12:28 +0000

    app-arch/cabextract: bump to v1.9
    
    Bug: https://bugs.gentoo.org/669280
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-arch/cabextract/Manifest              |  1 +
 app-arch/cabextract/cabextract-1.9.ebuild | 66 +++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=222dd14d5fb355b3e521acbeccf975702875700c

commit 222dd14d5fb355b3e521acbeccf975702875700c
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-11-06 02:09:50 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-11-06 02:12:26 +0000

    dev-libs/libmspack: bump to v0.9alpha
    
    Bug: https://bugs.gentoo.org/669280
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/libmspack/Manifest                   |  1 +
 dev-libs/libmspack/libmspack-0.9_alpha.ebuild | 73 +++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2018-11-06 11:40:23 UTC

@ Arches,

please test and mark stable:

dev-libs/libmspack-0.9_alpha
app-arch/cabextract-1.9

Comment 4 Agostino Sarubbo gentoo-dev

2018-11-07 09:44:06 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-11-07 23:45:20 UTC

x86 stable

Comment 6 Rolf Eike Beer archtester

2018-11-08 21:10:47 UTC

The MD5 code in libmspack is broken on big endian, see bug 670654.

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2018-11-18 16:16:55 UTC

ia64 stable

Comment 8 Stabilization helper bot gentoo-dev

2018-11-22 16:00:25 UTC

An automated check of this bug failed - the following atom is unknown:

app-arch/cabextract-1.9-r1

Please verify the atom list.

Comment 9 Rolf Eike Beer archtester

2018-11-23 16:19:00 UTC

hppa/sparc stable

Comment 10 Mikle Kolyada (RETIRED) archtester

2018-12-07 12:46:42 UTC

arm stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2018-12-26 14:03:15 UTC

ppc stable

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2018-12-26 20:13:37 UTC

ppc64 stable

Comment 13 Larry the Git Cow gentoo-dev

2019-01-30 13:20:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=233e443db72e91bdc5c8e7cf1af56eeb7d27373d

commit 233e443db72e91bdc5c8e7cf1af56eeb7d27373d
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-01-30 13:19:57 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-01-30 13:19:57 +0000

    dev-libs/libmspack-0.9.1_alpha-r1: alpha stable
    
    Bug: http://bugs.gentoo.org/669280
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-libs/libmspack/libmspack-0.9.1_alpha-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=715dc38d7255b2c072ae8d7b2801780f1a5880ed

commit 715dc38d7255b2c072ae8d7b2801780f1a5880ed
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-01-30 13:19:57 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-01-30 13:19:57 +0000

    app-arch/cabextract-1.9-r2: alpha stable
    
    Bug: http://bugs.gentoo.org/669280
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 app-arch/cabextract/cabextract-1.9-r2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2019-03-24 03:03:39 UTC

@maintainer(s), please clean vulnerable.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2019-03-28 02:15:07 UTC

This issue was resolved and addressed in
 GLSA 201903-20 at https://security.gentoo.org/glsa/201903-20
by GLSA coordinator Aaron Bauman (b-man).

Comment 16 Aaron Bauman (RETIRED) gentoo-dev

2019-03-28 02:16:23 UTC

re-opened for cleanup.

Comment 17 Aaron Bauman (RETIRED) gentoo-dev

2019-04-04 19:14:37 UTC

tree is clean