Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2015-4467

Source

Debian Bug report logs - #774725
libmspack: CVE-2015-4467: CHM decompression: division by zero

Package: libmspack0; Maintainer for libmspack0 is Marc Dequènes (Duck) <Duck@DuckCorp.org>; Source for libmspack0 is src:libmspack (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Tue, 6 Jan 2015 20:21:01 UTC

Severity: grave

Tags: patch, security

Found in version libmspack/0.4-2

Fixed in version libmspack/0.4-3

Done: Marc Dequènes (Duck) <Duck@DuckCorp.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, pkg-clamav-devel@lists.alioth.debian.org, team@security.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#774725; Package libmspack0. (Tue, 06 Jan 2015 20:21:06 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: libmspack0
Version: 0.4-2
Severity: grave
Tags: security patch
Usertags: afl

libmspack crashes with SIGFPE on the attached CHM file:

$ gpg -d < sigfpe.chm.asc > sigfpe.chm
$ test/chmd_md5 sigfpe.chm
*** sigfpe.chm
d41d8cd98f00b204e9800998ecf8427e /#ITBITS
Floating point exception

Backtrace:
#0  0x5655d37b in __divdi3 ()
#1  0x56559ebb in chmd_init_decomp (file=0x56563378, self=0x56562008) at mspack/chmd.c:1132
#2  chmd_extract (base=0x56562008, file=0x56563378, filename=0x0) at mspack/chmd.c:996
#3  0x56555c40 in main (argc=2, argv=0xffffd888) at test/chmd_md5.c:44

This bug does affect ClamAV.

The attached patch should fix the problem. (But I'm not familiar with 
the code base, so please double-check it.)

This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libmspack0 depends on:
ii  libc6              2.19-13
ii  multiarch-support  2.19-13

-- 
Jakub Wilk

[fix-division-by-zero.diff (text/x-diff, attachment)]

[sigfpe.chm.asc (text/plain, attachment)]

Bug 774725 cloned as bug 774766 Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc> to control@bugs.debian.org. (Wed, 07 Jan 2015 11:27:05 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Marc Dequènes (Duck) <Duck@DuckCorp.org> to control@bugs.debian.org. (Tue, 13 Jan 2015 17:45:04 GMT) (full text, mbox, link).

Reply sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>:
You have taken responsibility. (Tue, 13 Jan 2015 23:06:08 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Tue, 13 Jan 2015 23:06:08 GMT) (full text, mbox, link).

Message #12 received at 774725-close@bugs.debian.org (full text, mbox, reply):

Source: libmspack
Source-Version: 0.4-3

We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 774725@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated libmspack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Jan 2015 22:51:40 +0100
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source amd64 all
Version: 0.4-3
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
 libmspack-dbg - library for Microsoft compression formats (debugging symbols)
 libmspack-dev - library for Microsoft compression formats (development files)
 libmspack-doc - library for Microsoft compression formats (documentation)
 libmspack0 - library for Microsoft compression formats (shared library)
Closes: 774725 774726
Changes:
 libmspack (0.4-3) unstable; urgency=medium
 .
   * Added (slightly modified/split) patches from Jakub Wilk to fix
     programmation errors causing segfaults and security issues:
     - fix-division-by-zero.patch
     - fix-pointer-arithmetic-overflow.patch
     - fix-name-field-boundaries.patch
     (Closes: #774725, #774726)
Checksums-Sha1:
 457bdda8573d0884706dffea347507a10486585c 2064 libmspack_0.4-3.dsc
 ef3753b20531415e59c60d2fbd9c6480cfbb4e98 4244 libmspack_0.4-3.debian.tar.xz
 f596e7aaa2a6d6fcae58bf0624be1ba68c8f193d 45774 libmspack0_0.4-3_amd64.deb
 6eb3b4483388106af402232b9cfe233821c9e70c 64114 libmspack-dev_0.4-3_amd64.deb
 725577d98a928a255ba98c088773a7baa2ede06f 83356 libmspack-dbg_0.4-3_amd64.deb
 4de4711f4279e1760b8aa93228016a2bf4c3e93f 87904 libmspack-doc_0.4-3_all.deb
Checksums-Sha256:
 52e28bac82106ccadaf36e3c071017eda75c01745b0a871f6fd97686fc045b21 2064 libmspack_0.4-3.dsc
 d76bd7b1a5299cafa2ef571904d8464e867cc668ea5020f1156de1ad3dd0ec09 4244 libmspack_0.4-3.debian.tar.xz
 7c8ebd7214b428b85840347d9355abc72dac1b9fb148a9bba7f50ebe525f52d8 45774 libmspack0_0.4-3_amd64.deb
 fb19edd1bd2b150872e6f08b2326440bdd214be16e0009f4e2060987b544dc73 64114 libmspack-dev_0.4-3_amd64.deb
 8d057d985ff2a8eae59190e9cb77a1f523e59803a9f080c2daae35574f266d51 83356 libmspack-dbg_0.4-3_amd64.deb
 9ba195e3bb9dbbb831191ade6ea63b2f1374a0a72dbd4adecd788fa8dc3b1a75 87904 libmspack-doc_0.4-3_all.deb
Files:
 e31c3ae80b05e8741989767e5d0829fc 2064 libs optional libmspack_0.4-3.dsc
 a0ec9b85e6006129cf79da080e93f0b6 4244 libs optional libmspack_0.4-3.debian.tar.xz
 268a598d587596279a137d27d73d26e4 45774 libs optional libmspack0_0.4-3_amd64.deb
 9e44a664d26d225ac9ab92c767e84920 64114 libdevel optional libmspack-dev_0.4-3_amd64.deb
 f257da36c8a8f31419b5181fbaab1296 83356 debug extra libmspack-dbg_0.4-3_amd64.deb
 c263e26a473926aea0d45d447fd601f2 87904 doc optional libmspack-doc_0.4-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUtaFtAAoJEFXp+fesHEQ/XHcP/i+6WhqKDEg8SFr/UTGN5rL1
v5Ax3beEU1gEUF7yFjCDhBX3wdY2HkFfBtg1woteqCUymevRsdGkCYWInVau5ROq
Auwoc19oCFLc39wYqGx8ujj7soXZXvMzvveguBUy86hrWigGWXmXTui7TXdNjb56
osdkOic8uVPFTY2V0SF5Nf4Wjd8hXo4kJbhxSDZfICdmbxlO5GRm0gOW7JbjTJUb
bFULLjZSoSB7z8n7bKeEi2BGOieLu9+xXLwkI0/cFzVw0sr5NiyWXmtxNttN5OlC
RoM0vb0SVklnpsFssFpNYvznC0UU4fLI5FDU1D3umKd+x57fdlWOF7JoHn4dXF68
vydd3MJbm1GI6oavQnfsXXeyRBaZkyQilCkB1m15T7IQfGcvdWAo2yPS+tmuFXuK
LSjtNu8MAiHQ7GqMk+/0iKIBr4XKsJsYESwhT+3QnFkPVv7N5XE5UwqB8Nys24WH
hZg/m/m12I54R3jbO6iZDrBUngGm/93z1qNcsQrknNkpvcGaTDu/3tAmmthLbzHE
6h47rIyMcAr3jPZVp2K4OwHJugk62x3ajPZ9xPcq21qcHf2TbrmgdYGPVKGeUhth
nLZiC8RmYT7pzQqPg/MzXSPcZk2cUFkxPu0CPSGumhddTX9KTL4rGeuRZECgiIAS
99zjhgbtuhzvZT5dFB4w
=xnzY
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 12 Feb 2015 07:26:03 GMT) (full text, mbox, link).

Bug unarchived. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 11 Jun 2015 15:21:05 GMT) (full text, mbox, link).

Changed Bug title to 'libmspack: CVE-2015-4467: CHM decompression: division by zero' from 'libmspack: CHM decompression: division by zero' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 11 Jun 2015 15:21:06 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 10 Jul 2015 07:27:46 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:27:21 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

libmspack: CVE-2015-4467: CHM decompression: division by zero

Debian Bug report logs - #774725
libmspack: CVE-2015-4467: CHM decompression: division by zero

Vulmon Search

About

Products

Connect

libmspack: CVE-2015-4467: CHM decompression: division by zero

Debian Bug report logs - #774725 libmspack: CVE-2015-4467: CHM decompression: division by zero

Vulmon Search

About

Products

Connect

Debian Bug report logs - #774725
libmspack: CVE-2015-4467: CHM decompression: division by zero