Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 649
    • Issues 649
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 207
    • Merge Requests 207
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #9665

Closed
Open
Opened Nov 21, 2018 by Alicha CH@alichaReporter

[3.7] libmspack: Multiple vulnerabilities (CVE-2018-18584, CVE-2018-18585, CVE-2018-18586)

CVE-2018-18584: A CAB file with a Quantum-compressed block of exactly 38912 bytes will write one byte beyond the end of the input buffer

In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB
block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write.

References:

https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18584

Patch:

https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2

CVE-2018-18585: CHM files with blank filenames (by having embedded nulls) are allowed, which trips up clients that expect non-blank filenames

chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename
that has ‘\0’ as its first or second character (such as the “/\0” name).

References:

https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18585

Patch:

https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f

CVE-2018-18586: chmextract makes no attempt to protect you from relative/absolute paths in CHM filenames

DISPUTED chmextract.c in the chmextract sample program, as distributed with libmspack before 0.8alpha, does not protect against absolute/relative pathnames in CHM files, leading to Directory Traversal. NOTE: the vendor disputes that this is a libmspack vulnerability, because chmextract.c was only intended as a source-code example, not a supported application.

References:

https://www.cabextract.org.uk/libmspack/
https://nvd.nist.gov/vuln/detail/CVE-2018-18586

Patch:

https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d

(from redmine: issue id 9665, created on 2018-11-21, closed on 2018-11-28)

  • Relations:
    • parent #9662 (closed)
  • Changesets:
    • Revision c9b4a96e by Natanael Copa on 2018-11-27T12:32:31Z:
main/libmspack: security upgrade to 0.8_alpha

CVE-2018-18584, CVE-2018-18585, CVE-2018-18586

fixes #9665
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.7.2
Milestone
3.7.2
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#9665