From the changelog of cabextract 1.7 + libmspack 0.7 alpha [1]: * bad KWAJ file header extensions could cause a one or two byte overwrite * The character U+0100 in a CHM filename could cause a one-byte overread * libmspack now rejects blank CHM filenames. * Fixed off-by-one error in CHM PMGI/PMGL chunk number validity checks, which could cause a crash by dereferencing uninitialised data beyond the end of the fast_find() chunk cache. I think this code is shared in both packages, please bump. [1] http://www.openwall.com/lists/oss-security/2018/07/26/1
Issue was assigned a CVE. https://nvd.nist.gov/vuln/detail/CVE-2018-14681
Correction, multiple CVEs have been assigned: https://nvd.nist.gov/vuln/detail/CVE-2018-14679 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash). https://nvd.nist.gov/vuln/detail/CVE-2018-14680 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames. https://nvd.nist.gov/vuln/detail/CVE-2018-14681 An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite. https://nvd.nist.gov/vuln/detail/CVE-2018-14682 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression.
@ Hanno: I don't see security fixes in cabextract-1.7 release note. Looks like a normal release which adds new important features, but nothing for a security bug. Am I missing something?
