Bugzilla – Bug 1113040
VUL-1: CVE-2018-18586: libmspack: chmextract.c add anti "../" and leading slash protection to chmextract
Last modified: 2024-05-08 12:57:13 UTC
CVE-2018-18586 FTR, three CVEs were assigned by MITRE, whereeas one is explicitly marked as DISPUTED, because upstream makes clear in the changelog entry, that the chmextract utility is more an example code how to use the library rather than "productised" binaries. Still a CVE was assigned for downstreams using it as such. Upstream changelog: 2018-10-20 Stuart Caie <kyzer@cabextract.org.uk> * src/chmextract.c: add anti "../" and leading slash protection to chmextract. I'm not pleased about this. All the sample code provided with libmspack is meant to be simple examples of library use, not "productised" binaries. Making the "useful" code samples install as binaries was a mistake. They were never intended to protect you from unpacking archive files with relative/absolute paths, and I would prefer that they never will be. Upstream fix: https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d References: https://www.openwall.com/lists/oss-security/2018/10/23/11 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18586
The chmextract tool part of the mspack-tools RPM, that is not shipped with SLE. This problem only affects openSUSE code streams.
This is an autogenerated message for OBS integration: This bug (1113040) was mentioned in https://build.opensuse.org/request/show/644862 15.0 / libmspack
This is an autogenerated message for OBS integration: This bug (1113040) was mentioned in https://build.opensuse.org/request/show/645188 15.0 / libmspack https://build.opensuse.org/request/show/645191 42.3 / libmspack
openSUSE-SU-2018:3562-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1113038,1113039,1113040 CVE References: CVE-2018-18584,CVE-2018-18585,CVE-2018-18586 Sources used: openSUSE Leap 42.3 (src): libmspack-0.5-8.3.1
Leap 15.1 seems affected
SUSE-SU-2022:0069-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1113040 CVE References: CVE-2018-18586 JIRA References: Sources used: SUSE MicroOS 5.1 (src): libmspack-0.6-3.14.1 SUSE MicroOS 5.0 (src): libmspack-0.6-3.14.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): libmspack-0.6-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0069-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1113040 CVE References: CVE-2018-18586 JIRA References: Sources used: openSUSE Leap 15.3 (src): libmspack-0.6-3.14.1
openSUSE-SU-2022:0069-2: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1113040 CVE References: CVE-2018-18586 JIRA References: Sources used: openSUSE Leap 15.4 (src): libmspack-0.6-3.14.1
SUSE-SU-2022:0069-2: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1113040 CVE References: CVE-2018-18586 JIRA References: Sources used: SUSE Linux Enterprise Realtime Extension 15-SP2 (src): libmspack-0.6-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Released.
Hi Stanislav, please never close security-related issue yourself, instead re-assign them back to security-team@suse.de. I still see SUSE:SLE-12:Update/libmspack flagged as affected in our tracking tool, that should mean that a submission is missing. Please review.
Sent the fix to the missing codestream here: * SUSE:SLE-12:Update/libmspack: https://build.suse.de/request/show/283290 Thanks Gianluca for pointing out the missing codestream, assigning back to Security for review.
SUSE-SU-2022:4287-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1113040 CVE References: CVE-2018-18586 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libmspack-0.4-15.13.1 SUSE Linux Enterprise Server 12-SP5 (src): libmspack-0.4-15.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.