Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 669280 (CVE-2018-18584, CVE-2018-18585, CVE-2018-18586) - <dev-libs/libmspack-0.9.1_alpha-r1, app-arch/cabextract-1.9-r2: multiple vulnerabilities (CVE-2018-{18584,18585,18586})
Summary: <dev-libs/libmspack-0.9.1_alpha-r1, app-arch/cabextract-1.9-r2: multiple vuln...
Status: RESOLVED FIXED
Alias: CVE-2018-18584, CVE-2018-18585, CVE-2018-18586
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: 670478
Blocks:
  Show dependency tree
 
Reported: 2018-10-22 06:20 UTC by Hanno Böck
Modified: 2019-04-04 19:14 UTC (History)
2 users (show)

See Also:
Package list:
dev-libs/libmspack-0.9.1_alpha-r1 app-arch/cabextract-1.9-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2018-10-22 06:20:14 UTC
From upstream:

* if a CAB file has a Quantum-compressed datablock with exactly 38912 
compressed bytes, cabextract will write exactly one byte beyond its 
input buffer.

This affects both cabextract and libmspack. Fixes in cabextract 1.8 and libmspack 0.8alpha.

Also from libmspack this:
* chmextract now protects you from absolute/relative pathnames in CHM files

sounds like a directory traversal vuln.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-10-24 16:15:34 UTC
app-arch/cabextract is currently bundling dev-libs/libmspack. We will stop bundling once https://github.com/kyz/libmspack/issues/20 is solved. Once this is done we can start stabilizing new cabextract and libmspack version.
Comment 2 Larry the Git Cow gentoo-dev 2018-11-06 02:12:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=052405702013032edf4686bad9a541a737e681cc

commit 052405702013032edf4686bad9a541a737e681cc
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-11-06 02:12:11 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-11-06 02:12:28 +0000

    app-arch/cabextract: bump to v1.9
    
    Bug: https://bugs.gentoo.org/669280
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-arch/cabextract/Manifest              |  1 +
 app-arch/cabextract/cabextract-1.9.ebuild | 66 +++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=222dd14d5fb355b3e521acbeccf975702875700c

commit 222dd14d5fb355b3e521acbeccf975702875700c
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-11-06 02:09:50 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-11-06 02:12:26 +0000

    dev-libs/libmspack: bump to v0.9alpha
    
    Bug: https://bugs.gentoo.org/669280
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/libmspack/Manifest                   |  1 +
 dev-libs/libmspack/libmspack-0.9_alpha.ebuild | 73 +++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-11-06 11:40:23 UTC
@ Arches,

please test and mark stable:

dev-libs/libmspack-0.9_alpha
app-arch/cabextract-1.9
Comment 4 Agostino Sarubbo gentoo-dev 2018-11-07 09:44:06 UTC
amd64 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-11-07 23:45:20 UTC
x86 stable
Comment 6 Rolf Eike Beer 2018-11-08 21:10:47 UTC
The MD5 code in libmspack is broken on big endian, see bug 670654.
Comment 7 Sergei Trofimovich gentoo-dev 2018-11-18 16:16:55 UTC
ia64 stable
Comment 8 Stabilization helper bot gentoo-dev 2018-11-22 16:00:25 UTC
An automated check of this bug failed - the following atom is unknown:

app-arch/cabextract-1.9-r1

Please verify the atom list.
Comment 9 Rolf Eike Beer 2018-11-23 16:19:00 UTC
hppa/sparc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-12-07 12:46:42 UTC
arm stable
Comment 11 Sergei Trofimovich gentoo-dev 2018-12-26 14:03:15 UTC
ppc stable
Comment 12 Sergei Trofimovich gentoo-dev 2018-12-26 20:13:37 UTC
ppc64 stable
Comment 13 Larry the Git Cow gentoo-dev 2019-01-30 13:20:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=233e443db72e91bdc5c8e7cf1af56eeb7d27373d

commit 233e443db72e91bdc5c8e7cf1af56eeb7d27373d
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-01-30 13:19:57 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-01-30 13:19:57 +0000

    dev-libs/libmspack-0.9.1_alpha-r1: alpha stable
    
    Bug: http://bugs.gentoo.org/669280
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-libs/libmspack/libmspack-0.9.1_alpha-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=715dc38d7255b2c072ae8d7b2801780f1a5880ed

commit 715dc38d7255b2c072ae8d7b2801780f1a5880ed
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-01-30 13:19:57 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-01-30 13:19:57 +0000

    app-arch/cabextract-1.9-r2: alpha stable
    
    Bug: http://bugs.gentoo.org/669280
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 app-arch/cabextract/cabextract-1.9-r2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-24 03:03:39 UTC
@maintainer(s), please clean vulnerable.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2019-03-28 02:15:07 UTC
This issue was resolved and addressed in
 GLSA 201903-20 at https://security.gentoo.org/glsa/201903-20
by GLSA coordinator Aaron Bauman (b-man).
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-28 02:16:23 UTC
re-opened for cleanup.
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-04 19:14:37 UTC
tree is clean