934524 – (CVE-2014-9732) VUL-1: CVE-2014-9732: cabextract,libmspack: null pointer dereference on a crafted CAB

Bug 934524 (CVE-2014-9732) - VUL-1: CVE-2014-9732: cabextract,libmspack: null pointer dereference on a crafted CAB

Summary: VUL-1: CVE-2014-9732: cabextract,libmspack: null pointer dereference on a cra...

Status:	RESOLVED FIXED

Alias:	CVE-2014-9732

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Deadline:	2015-07-10
Assignee:	Stanislav Brabec
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/117582/
Whiteboard:	CVSSv2:RedHat:CVE-2014-9732:5.0:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-06-12 09:24 UTC by Andreas Stieger
Modified:	2017-03-06 12:23 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2015-06-12 09:24:22 UTC

rh#1196146

The cabd_extract function in cabd.c in libmspack before 0.5 does not properly
maintain decompression callbacks in certain cases where an invalid file follows
a valid file, which allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted CAB archive.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1196146
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9732
http://seclists.org/oss-sec/2015/q2/691
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774726#3
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774665
http://anonscm.debian.org/cgit/collab-maint/libmspack.git/commit/?id=a25bb144795e526748b57884daf365732c7e2295
http://openwall.com/lists/oss-security/2015/02/03/11

For SLE 11, this needs to be fixed libmspack and cabextract.
For SLE 12, cabextract builds --with-external-libmspack, so only libmspack needs to be fixed.

Comment 1 Swamp Workflow Management 2015-06-12 09:40:12 UTC

An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-07-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61986

Comment 2 Swamp Workflow Management 2015-06-12 22:02:03 UTC

bugbot adjusting priority

Comment 3 Stanislav Brabec 2015-06-15 14:34:14 UTC

http://anonscm.debian.org/cgit/collab-maint/libmspack.git/commit/?id=a25bb144795e526748b57884daf365732c7e2295 seems to be incorrect, as it covers different vulnerabilities:

    - fix-division-by-zero.patch (bsc#934525, CVE-2015-4467)
    - fix-pointer-arithmetic-overflow.patch (bsc#934526,
      CVE-2015-4468)
    - fix-name-field-boundaries.patch (bsc#934526, CVE-2015-4469)
    (Closes: Debian#774725, Debian#774726)

Comment 4 Stanislav Brabec 2015-06-15 18:38:50 UTC

I found no relevant reference to the fix of this bug, but guessing from the description, this could be a fix: https://github.com/kyz/libmspack/commit/4f3e63aeb09da248c83d6a4c11d33b934525b941

Comment 5 Stanislav Brabec 2015-06-15 18:47:54 UTC

SUSE patch name will be: libmspack-cabd_extract-null-deref.patch

Comment 6 Stanislav Brabec 2015-06-15 20:32:31 UTC

SLE12: https://build.suse.de/request/show/60400
https://build.suse.de/package/show/home:sbrabec:branches:libmspack-security/libmspack.SUSE_SLE-12_Update

SLE11 and openSUSE will be prepared tomorrow.

Comment 7 Stanislav Brabec 2015-06-16 18:41:43 UTC

The patch was relatively easy to backport fo SLE11 libmspack, and I hope it is correct:

https://build.suse.de/project/show/home:sbrabec:branches:libmspack-security-sle11

Comment 8 Stanislav Brabec 2015-06-16 19:06:11 UTC

Done.

https://build.suse.de/project/show/home:sbrabec:branches:libmspack-security-sle11
libmspack: https://build.suse.de/request/show/60558
cabextract: https://build.suse.de/request/show/60560

Comment 13 Swamp Workflow Management 2015-11-27 16:17:08 UTC

SUSE-SU-2015:2131-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 934524,934527,934528
CVE References: CVE-2014-9556,CVE-2014-9732,CVE-2015-4470,CVE-2015-4471
Sources used:
SUSE Linux Enterprise Desktop 11-SP4 (src):    cabextract-1.2-2.12.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    cabextract-1.2-2.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    cabextract-1.2-2.12.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    cabextract-1.2-2.12.1

Comment 14 Swamp Workflow Management 2015-12-07 17:11:42 UTC

SUSE-SU-2015:2215-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 934524,934525,934526,934527,934528,934529
CVE References: CVE-2014-9732,CVE-2015-4467,CVE-2015-4469,CVE-2015-4470,CVE-2015-4471,CVE-2015-4472
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Server 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Server 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1

Comment 15 Stanislav Brabec 2017-03-02 18:52:02 UTC

It seems to be fixed long time ago.

All SLE versions are fixed.

All openSUSE versions contain versions newer than libmspack-0.4-3.