Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 670
    • Issues 670
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 173
    • Merge Requests 173
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • alpine
  • aportsaports
  • Issues
  • #9663

Closed
Open
Opened Nov 21, 2018 by Alicha CH@alichaReporter

[3.9] libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)

CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer

In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB
block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write.

References:

https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18584

Patch:

https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2

CVE-2018-18585: CHM files with blank filenames (by having embedded nulls) are allowed, which trips up clients that expect non-blank filenames

chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename
that has ‘\0’ as its first or second character (such as the “/\0” name).

References:

https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18585

Patch:

https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f

CVE-2018-18586: chmextract makes no attempt to protect you from relative/absolute paths in CHM filenames

DISPUTED chmextract.c in the chmextract sample program, as distributed with libmspack before 0.8alpha, does not protect against absolute/relative pathnames in CHM files, leading to Directory Traversal. NOTE: the vendor disputes that this is a libmspack vulnerability, because chmextract.c was only intended as a source-code example, not a supported application.

References:

https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18586

Patch:

https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d

(from redmine: issue id 9663, created on 2018-11-21, closed on 2018-11-28)

  • Relations:
    • parent #9662 (closed)
  • Changesets:
    • Revision 3a49d88a by Natanael Copa on 2018-11-27T12:30:37Z:
main/libmspack: security upgrade to 0.8_alpha

CVE-2018-18584, CVE-2018-18585, CVE-2018-18586

fixes #9663
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
3.9.0
Milestone
3.9.0 (Past due)
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#9663