oss-sec mailing list archives

Re: Buffer overflow in cabextract/libmspack (Fwd: New cabextract 1.8 and libmspack 0.8 release)

From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 23 Oct 2018 20:09:45 +0200

Hi

FTR, three CVEs were assigned by MITRE, whereeas one is explicitly
marked as DISPUTED, because upstream makes clear in the changelog
entry, that the chmextract utility is more an example code how to use
the library rather than "productised" binaries. Still a CVE was
assigned for downstreams using it as such.

Here are the assignments:

CVE-2018-18584:
https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2

CVE-2018-18585:
https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f

CVE-2018-18586:
https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d

Regards,
Salvatore

Current thread:

Buffer overflow in cabextract/libmspack (Fwd: New cabextract 1.8 and libmspack 0.8 release) Hanno Böck (Oct 21)
- Re: Buffer overflow in cabextract/libmspack (Fwd: New cabextract 1.8 and libmspack 0.8 release) Salvatore Bonaccorso (Oct 23)