libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)
CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer
In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8,
block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write.
CVE-2018-18585: CHM files with blank filenames (by having embedded nulls) are allowed, which trips up clients that expect non-blank filenames
chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha
accepts a filename
that has ‘\0’ as its first or second character (such as the “/\0” name).
CVE-2018-18586: chmextract makes no attempt to protect you from relative/absolute paths in CHM filenames
DISPUTED chmextract.c in the chmextract sample program, as distributed with libmspack before 0.8alpha, does not protect against absolute/relative pathnames in CHM files, leading to Directory Traversal. NOTE: the vendor disputes that this is a libmspack vulnerability, because chmextract.c was only intended as a source-code example, not a supported application.
(from redmine: issue id 9662, created on 2018-11-21, closed on 2018-11-28)