Debian Bug report logs -
#911639
libmspack: CVE-2018-18586: add anti "../" and leading slash protection to chmextract
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 22 Oct 2018 22:12:06 UTC
Severity: minor
Tags: patch, security, upstream
Found in version libmspack/0.7-1
Fixed in version libmspack/0.8-1
Done: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#911639; Package src:libmspack.
(Mon, 22 Oct 2018 22:12:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>.
(Mon, 22 Oct 2018 22:12:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Version: 0.7-1
Severity: minor
Tags: patch security upstream
Hi
From https://www.openwall.com/lists/oss-security/2018/10/22/1
> chmextract now protects you from absolute/relative pathnames in CHM
> files
this is only for sample code on how to use the library and not
installed into the binary packages. But still tracking the affected
source and possible later source fix.
The fix is at
https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d
.
Regards,
Salvatore
Changed Bug title to 'libmspack: CVE-2018-18586: add anti "../" and leading slash protection to chmextract' from 'libmspack: add anti "../" and leading slash protection to chmextract'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 Oct 2018 06:15:02 GMT) (full text, mbox, link).
Reply sent
to Marc Dequènes (Duck) <Duck@DuckCorp.org>:
You have taken responsibility.
(Wed, 24 Oct 2018 01:39:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 24 Oct 2018 01:39:08 GMT) (full text, mbox, link).
Message #12 received at 911639-close@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Source-Version: 0.8-1
We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 911639@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated libmspack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Oct 2018 10:03:13 +0900
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-doc
Architecture: source amd64 all
Version: 0.8-1
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
libmspack-dev - library for Microsoft compression formats (development files)
libmspack-doc - library for Microsoft compression formats (documentation)
libmspack0 - library for Microsoft compression formats (shared library)
Closes: 911637 911639 911640
Changes:
libmspack (0.8-1) unstable; urgency=medium
.
* New upstream release:
+ CVE-2018-18585 (Closes: #911637)
+ CVE-2018-18584 (Closes: #911640)
+ CVE-2018-18586 (Closes: #911639)
Checksums-Sha1:
451257a0dc726672b88ea37a881a77ab1c749d86 2012 libmspack_0.8-1.dsc
43b01cb13f70ad3a273ab4edbe7a7298b35dd59e 488869 libmspack_0.8.orig.tar.gz
93c82f4502677f2bdacf2026e6e86426bacce1b6 3328 libmspack_0.8-1.debian.tar.xz
611a9600c776da89158bb64acc62a8d7f905e334 66600 libmspack-dev_0.8-1_amd64.deb
dfa1ecfbd448809ba6a47b9d8aad360d93a4cab8 329376 libmspack-doc_0.8-1_all.deb
3fa5b5b0d0000d1d49e924dac0c2e2000375d371 98644 libmspack0-dbgsym_0.8-1_amd64.deb
395a3bdfbe93870500c53e69106698731b6f6950 48204 libmspack0_0.8-1_amd64.deb
7bdc9e6cb29a131ba9e6a60b3ee49f206d92993d 7805 libmspack_0.8-1_amd64.buildinfo
Checksums-Sha256:
6e97b6a49db065d76e9c27cc329af48230d7bd7e03903b087f7be5973db7b573 2012 libmspack_0.8-1.dsc
0533792e9561375a5fce1bc96bbc65ec778af486e0daa3803b226da9244addaf 488869 libmspack_0.8.orig.tar.gz
1779726c5bfd7c8b882d7e4abf755800b5bc4aea118a69a79bf7b958e55fddc4 3328 libmspack_0.8-1.debian.tar.xz
726561bda64248dee539ea7ced7e080e3d4eaa37430c310482a508bd7c339ada 66600 libmspack-dev_0.8-1_amd64.deb
897a7051fb914c41da4b965304b2be7794b6198181231a0fe68fdc68b97d9044 329376 libmspack-doc_0.8-1_all.deb
a1f155e392259cea8b96f63b99aee8b625cbeca1006eb3b3e6fb6d7e1b3a764a 98644 libmspack0-dbgsym_0.8-1_amd64.deb
f7a911bf784a615ca7f2dcd6e241c0991ac5ddfff2037da1cd0639c01833bffd 48204 libmspack0_0.8-1_amd64.deb
09049f9e7feb52f66360b4248de9e4ea5d4480a53ec679847f9c5965ff5e1a17 7805 libmspack_0.8-1_amd64.buildinfo
Files:
3051a7d4d60a415efed41ccad9a34d3b 2012 libs optional libmspack_0.8-1.dsc
be4ed61868c6c1ecc173b678ce3459be 488869 libs optional libmspack_0.8.orig.tar.gz
20f03bdf943dccb67c78c793d1f0f3be 3328 libs optional libmspack_0.8-1.debian.tar.xz
9aeeee08c49881c346e1d0cafc19df28 66600 libdevel optional libmspack-dev_0.8-1_amd64.deb
d339bc7d06d0e5603ca37c9e8955f1b0 329376 doc optional libmspack-doc_0.8-1_all.deb
6cb61ede4edabf038d43cfeb35b9bb2a 98644 debug optional libmspack0-dbgsym_0.8-1_amd64.deb
57cb3a2a5429df5d8bbfc0405fac356a 48204 libs optional libmspack0_0.8-1_amd64.deb
6bf5b76fae5b041b834a809fe97ecea2 7805 libs optional libmspack_0.8-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAlvPx5EACgkQVen596wc
RD+NMA//c8riD79aK9TMMzLGuiaQMfQaALjxydo2cJEYMw8uT6jKdI7z7aGJxAV5
3/FI8RbOlDJZnfMa0ouR8J4ulh46Ug59Pwt32de8ewHY0R5z702nttShcbKcXc1t
8uJy9VxMb/zdBVBZbOTc1FKAEqc8fgT9J0aynSokVGVG9CSMVzxWqwbJ6C2G9Z8+
A8j4NmkuTmHtIWeRrE5JzRb1dz2lcxwTpN9Co2J9EEp1mb2I2RGIxzz+ORBYuo6y
9aZsItoHgEN4GBqDyNLUeTb4OFqDnToMxhhgRRycsoruAdFk2416N1LhWuuKLCSH
Gei7bg7cmMEhLi5yHPsnzCdSS6iebtli7PZCCKiqWf11InovXE7S+yEeAzOe5DGF
Tl7K3WSy1sK6nXx4Ano5Vc6gsW3aRvfkKZG/+8A0hnEM+oSuXRBqJooWcXoJo28Y
U1TU66TXMj7lGvCek4+fs/Pzj7Uh4zY8fZ6aFU7aKKh/IbO1m+oGIe/GiNM5YpPu
8zF63o+C2vx6i9bV24yYyD7FwezqQrY+kMPpTwaAJehyb28HveCh0+g5j45E34eL
GfoZaa0vbED+iL5PpSE70SYZGFZ2LBqSmfMUQxI683GUpJyNKr/9QNc7i0EbGW4q
jz63tXtG8+dMufbpf8uGicmDaOy9fhVW6jJNnEf4ep/O89YdrAA=
=kh/S
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 26 Nov 2018 07:27:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:05:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon