Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662166 (CVE-2018-14679, CVE-2018-14680, CVE-2018-14681, CVE-2018-14682) - [TRACKER] libmspack: multiple vulnerabilities (CVE-2018-{14679,14680,14681,14682})
Summary: [TRACKER] libmspack: multiple vulnerabilities (CVE-2018-{14679,14680,14681,14...
Status: RESOLVED FIXED
Alias: CVE-2018-14679, CVE-2018-14680, CVE-2018-14681, CVE-2018-14682
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords: Tracker
Depends on: 662874 662876
Blocks:
  Show dependency tree
 
Reported: 2018-07-26 07:12 UTC by Hanno Boeck
Modified: 2019-08-09 21:17 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Boeck gentoo-dev 2018-07-26 07:12:41 UTC
From the changelog of cabextract 1.7 + libmspack 0.7 alpha [1]:


* bad KWAJ file header extensions could cause a one or two byte
  overwrite
* The character U+0100 in a CHM filename could cause a one-byte overread
* libmspack now rejects blank CHM filenames.
* Fixed off-by-one error in CHM PMGI/PMGL chunk number validity checks, 
which could cause a crash by dereferencing uninitialised data beyond
  the end of the fast_find() chunk cache.

I think this code is shared in both packages, please bump.

[1] http://www.openwall.com/lists/oss-security/2018/07/26/1
Comment 1 D'juan McDonald (domhnall) 2018-07-29 22:22:50 UTC
Issue was assigned a CVE. https://nvd.nist.gov/vuln/detail/CVE-2018-14681
Comment 2 D'juan McDonald (domhnall) 2018-07-29 22:31:33 UTC

Correction, multiple CVEs have been assigned:

https://nvd.nist.gov/vuln/detail/CVE-2018-14679

An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash).


https://nvd.nist.gov/vuln/detail/CVE-2018-14680
An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames.

https://nvd.nist.gov/vuln/detail/CVE-2018-14681
An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite.

https://nvd.nist.gov/vuln/detail/CVE-2018-14682
An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression.
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-08-05 21:54:48 UTC
@ Hanno: I don't see security fixes in cabextract-1.7 release note. Looks like a normal release which adds new important features, but nothing for a security bug. Am I missing something?