Bugzilla – Bug 934526
VUL-1: CVE-2015-4468,CVE-2015-4469: cabextract,libmspack: libmspack: pointer arithmetic overflow during CHM decompression
Last modified: 2020-09-23 15:48:51 UTC
The chmd_read_headers function in chmd.c in libmspack before 0.5 does not validate name lengths, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted CHM file. > CHM decompression: pointer arithmetic overflow > - https://bugs.debian.org/774726 Relative to the http://anonscm.debian.org/cgit/collab-maint/libmspack.git/commit/?id=a25bb144795e526748b57884daf365732c7e2295 commit, use CVE-2015-4468 for the issues resolved by fix-pointer-arithmetic-overflow.patch and use CVE-2015-4469 for the issue resolved by fix-name-field-boundaries.patch. (Note that these were originally combined within the diff included in the https://bugs.debian.org/774726#3 message.) The fix-name-field-boundaries.patch is about missing input validation and can't have the same CVE ID as the two cases where the only change was from a "p + name_len > end" test to a "name_len > end - p" test. References: https://bugzilla.redhat.com/show_bug.cgi?id=1180177 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4469 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4468 http://seclists.org/oss-sec/2015/q2/691 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774726 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774726#3 http://anonscm.debian.org/cgit/collab-maint/libmspack.git/diff/debian/patches/fix-pointer-arithmetic-overflow.patch?id=a25bb144795e526748b57884daf365732c7e2295 http://anonscm.debian.org/cgit/collab-maint/libmspack.git/commit/?id=a25bb144795e526748b57884daf365732c7e2295 http://anonscm.debian.org/cgit/collab-maint/libmspack.git/diff/debian/patches/fix-name-field-boundaries.patch?id=a25bb144795e526748b57884daf365732c7e2295 For SLE 11, this needs to be fixed libmspack and cabextract. For SLE 12, cabextract builds --with-external-libmspack, so only libmspack needs to be fixed.
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-07-10. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61986
bugbot adjusting priority
Taking fix-name-field-boundaries.patch and ix-pointer-arithmetic-overflow.patch from Debian.
Upstream merged both these fixes into one commit and added explicit retyping: https://github.com/kyz/libmspack/commit/5692b75a21bf71dd86ac84bcfeb9ce8c0830658e Maybe it makes sense to take this patch.
SLE12: https://build.suse.de/request/show/60400 https://build.suse.de/package/show/home:sbrabec:branches:libmspack-security/libmspack.SUSE_SLE-12_Update SLE11 and openSUSE will be prepared tomorrow.
I worked on backporting to SLE11 today, and it seems that the fix from fix-pointer-arithmetic-overflow.patch does not affect SLE11 libmspack. fix-name-field-boundaries.patch does. The code was significantly different, and needed rewrite. Note that the check was not even incorrectly written, but it was completely missing there. https://build.suse.de/project/show/home:sbrabec:branches:libmspack-security-sle11
Done. https://build.suse.de/project/show/home:sbrabec:branches:libmspack-security-sle11 libmspack: https://build.suse.de/request/show/60558 cabextract: not affected CHM decompression is not implemented
SUSE-SU-2015:2215-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 934524,934525,934526,934527,934528,934529 CVE References: CVE-2014-9732,CVE-2015-4467,CVE-2015-4469,CVE-2015-4470,CVE-2015-4471,CVE-2015-4472 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libmspack-0.0.20060920alpha-74.10.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): libmspack-0.0.20060920alpha-74.10.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): libmspack-0.0.20060920alpha-74.10.1 SUSE Linux Enterprise Server 11-SP4 (src): libmspack-0.0.20060920alpha-74.10.1 SUSE Linux Enterprise Server 11-SP3 (src): libmspack-0.0.20060920alpha-74.10.1 SUSE Linux Enterprise Desktop 11-SP4 (src): libmspack-0.0.20060920alpha-74.10.1 SUSE Linux Enterprise Desktop 11-SP3 (src): libmspack-0.0.20060920alpha-74.10.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libmspack-0.0.20060920alpha-74.10.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libmspack-0.0.20060920alpha-74.10.1
SUSE-SU-2016:0011-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 934524,934525,934526,934527,934528,934529 CVE References: CVE-2014-9732,CVE-2015-4467,CVE-2015-4468,CVE-2015-4469,CVE-2015-4470,CVE-2015-4471,CVE-2015-4472 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libmspack-0.4-14.4 SUSE Linux Enterprise Software Development Kit 12 (src): libmspack-0.4-14.4 SUSE Linux Enterprise Server 12-SP1 (src): libmspack-0.4-14.4 SUSE Linux Enterprise Server 12 (src): libmspack-0.4-14.4 SUSE Linux Enterprise Desktop 12-SP1 (src): libmspack-0.4-14.4 SUSE Linux Enterprise Desktop 12 (src): libmspack-0.4-14.4
Released.