627753 – (CVE-2010-2800) VUL-1: CVE-2010-2800 CVE-2010-2801: cabextract: 1, Infinite loop in MS-ZIP and Quantum decoders (minor) 2, Integer wrap-around (crash) by processing certain *.cab files in test archive mode

Bug 627753 (CVE-2010-2800) - VUL-1: CVE-2010-2800 CVE-2010-2801: cabextract: 1, Infinite loop in MS-ZIP and Quantum decoders (minor) 2, Integer wrap-around (crash) by processing certain *.cab files in test archive mode

Summary: VUL-1: CVE-2010-2800 CVE-2010-2801: cabextract: 1, Infinite loop in MS-ZIP an...

Status:	RESOLVED FIXED

Alias:	CVE-2010-2800

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Deadline:	2014-07-10
Assignee:	Marcus Meissner
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:34947:low maint:release...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2010-08-03 08:00 UTC by Thomas Biege
Modified:	2014-07-14 08:39 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Development
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
cabextract-r90.patch (2.02 KB, patch) 2014-06-26 12:06 UTC, Marcus Meissner	Details \| Diff
cabextract-r114.patch (2.29 KB, patch) 2014-06-26 12:07 UTC, Marcus Meissner	Details \| Diff
cabextract-r118.patch (3.76 KB, patch) 2014-06-26 12:09 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2010-08-03 08:00:20 UTC

Hi.
There is a security bug in package 'cabextract'.

This information is from 'oss-security'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=90


Original posting:



----------  Weitergeleitete Nachricht  ----------

Betreff: [oss-security] CVE Request [two ids] -- cabextract -- 1, Infinite 
loop in MS-ZIP and Quantum decoders (minor) 2, Integer wrap-around (crash) by 
processing certain *.cab files in test archive mode
Datum: Montag 02 August 2010, 17:09:04
Von: Jan Lieskovsky <jlieskov@redhat.com>
An:  "Steven M. Christey" <coley@linus.mitre.org>
Kopie:  "oss-security" <oss-security@lists.openwall.com>

Hi Steve, vendors,

   two security issues have been reported against cabextract:

1, Infinite loop in MS-ZIP and Quantum decoders (minor issue):

A deficiency has been reported in the way cabextract extracted
certain Cabinet (*.cab) files, using the MZ-ZIP and Quantum decompressors.
If a local user was tricked into opening a specially-crafted *.cab
file, it could lead to infinite loop.

References:
   [1] http://bugs.gentoo.org/show_bug.cgi?id=329891

Upstream patches:
   [2] 
http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=90
   [3] 
http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=95
   [4] 
http://libmspack.svn.sourceforge.net/viewvc/libmspack/libmspack/trunk/mspack/

2, Integer wrap-around (crash) by processing certain *.cab files in test 
archive mode

An integer wrap-around flaw has been reported in the way cabextract processed
certain Cabinet (*.cab) archive files. If a local user was tricked into 
opening
a specially-crafted *.cab archive in test archive mode, it could lead to 
cabextract
executable crash.

References:
   [1] http://bugs.gentoo.org/show_bug.cgi?id=329891

Upstream patches:
   [2] 
http://libmspack.svn.sourceforge.net/viewvc/libmspack/libmspack/trunk/mspack/qtmd.c?r1=114&r2=113
   [3] 
http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=118

Could you allocate CVE ids for these?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

-------------------------------------------------------------

Comment 1 Thomas Biege 2010-08-03 08:06:48 UTC

Re: [oss-security] CVE Request [two ids] -- cabextract -- 1, Infinite loop in MS-ZIP and Quantum decoders (minor) 2, Integer wrap-around (crash) by processing certain *.cab files in test archive mode
 (Josh Bressers, Kopie: Steven M. Christey, Mon Aug  2 22:08:58 2010)
----- "Jan Lieskovsky" <jlieskov@redhat.com> wrote:

> Hi Steve, vendors,
> 
>    two security issues have been reported against cabextract:
> 
> 1, Infinite loop in MS-ZIP and Quantum decoders (minor issue):
> 
> A deficiency has been reported in the way cabextract extracted certain
> Cabinet (*.cab) files, using the MZ-ZIP and Quantum decompressors.  If a
> local user was tricked into opening a specially-crafted *.cab file, it
> could lead to infinite loop.
> 

CVE-2010-2800

> 2, Integer wrap-around (crash) by processing certain *.cab files in
> test archive mode
> 
> An integer wrap-around flaw has been reported in the way cabextract
> processed certain Cabinet (*.cab) archive files. If a local user was
> tricked into opening a specially-crafted *.cab archive in test archive
> mode, it could lead to cabextract executable crash.
> 

CVE-2010-2801


Thanks.

-- 
    JB

Comment 2 Swamp Workflow Management 2010-08-03 09:50:42 UTC

The SWAMPID for this issue is 34947.
This issue was rated as low.
Please submit fixed packages until 2010-08-31.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 3 Thomas Biege 2010-08-09 07:55:14 UTC

mass change P5->P3

Comment 4 Thomas Biege 2010-08-09 20:00:56 UTC

CVE-2010-2800: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2010-2800: Resource Management Errors (CWE-399)
CVE-2010-2801: CVSS v2 Base Score: 5.1 (MEDIUM) (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVE-2010-2801: Numeric Errors (CWE-189)

Comment 5 Dirk Mueller 2010-10-15 07:47:08 UTC

Marcus, whats the status here?

Comment 6 Thomas Biege 2010-11-18 12:34:04 UTC

CVE-2010-2800: CVSS v2 Base Score: 4.3 (low) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Resource Management Errors (CWE-399)

CVE-2010-2801: CVSS v2 Base Score: 4.3 (low) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Numeric Errors (CWE-189)


Too minor -> Factory only.

Comment 7 Marcus Meissner 2010-11-18 16:22:26 UTC

factory has newer cabextract 1.3 with fixes inside.

(and yes, cab files are not even opened by default by anything)

Comment 8 Dirk Mueller 2012-10-11 15:44:01 UTC

Where is the fix for SLE11 ?

Comment 9 Marcus Meissner 2012-10-11 16:41:05 UTC

no fix apparently for SLE11 yet.

need to review if it is sufficient critical enough.

(usecase: fetchmsttfonts downloading CABs ... so remote unvalidated CABS are possible)

Comment 10 Marcus Meissner 2014-06-26 12:06:40 UTC

Created attachment 596301 [details]
cabextract-r90.patch

simple patch for first issue (might break things according to bug?)

Comment 11 Marcus Meissner 2014-06-26 12:07:23 UTC

Created attachment 596302 [details]
cabextract-r114.patch

first (r114) patch for second issue

Comment 12 Marcus Meissner 2014-06-26 12:09:01 UTC

Created attachment 596303 [details]
cabextract-r118.patch

Comment 13 Swamp Workflow Management 2014-06-26 12:41:56 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-07-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58035

Comment 19 Swamp Workflow Management 2014-07-10 16:04:20 UTC

Update released for: cabextract, cabextract-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 20 Swamp Workflow Management 2014-07-10 19:47:44 UTC

Update released for: cabextract, cabextract-debuginfo, cabextract-debugsource
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)

Comment 21 Swamp Workflow Management 2014-07-10 23:04:44 UTC

SUSE-SU-2014:0886-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 627753
CVE References: CVE-2010-2800,CVE-2010-2801
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    cabextract-1.2-2.10.1

Comment 22 Marcus Meissner 2014-07-11 09:47:35 UTC

was released