libmspack: CVE-2017-11423

Debian Bug report logs - #868956
libmspack: CVE-2017-11423

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libmspack: CVE-2017-11423

Date: Wed, 19 Jul 2017 22:15:00 +0200

Source: libmspack
Version: 0.5-1
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=11873

Hi,

the following vulnerability was published for libmspack.

CVE-2017-11423[0]:
| The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha,
| as used in ClamAV 0.99.2 and other products, allows remote attackers to
| cause a denial of service (stack-based buffer over-read and application
| crash) via a crafted CAB file.

Unfortunately the upstream bug [1] is locked-down.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11423
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11423
[1] https://bugzilla.clamav.net/show_bug.cgi?id=11873

Regards,
Salvatore

Message #12 received at 868956@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (duck) <duck@duckcorp.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 868956@bugs.debian.org

Cc: kyzer@cabextract.org.uk

Subject: Re: Bug#868956: libmspack: CVE-2017-11423

Date: Mon, 24 Jul 2017 00:17:24 +0900

Quack,

I added libmspack's upstream author in case he could give a hand.
Here is the bugreport: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868956

On 2017-07-20 05:15, Salvatore Bonaccorso wrote:

> Unfortunately the upstream bug [1] is locked-down.

Thanks for reporting it. Unfortunately I don't see how I can solve this 
problem. If all information are hidden on a related but not upstream bug 
tracker (which really should have one), if there's no patch or new 
release either, then I'm honestly at a loss.

If I happen to create an account on the ClamAV's bug tracker, would you 
be able to give me access?

Regards.
\_o<

-- 
Marc Dequènes

Message #17 received at 868956@bugs.debian.org (full text, mbox, reply):

From: Stuart Caie <kyzer@cabextract.org.uk>

To: duck@duckcorp.org, Salvatore Bonaccorso <carnil@debian.org>, 868956@bugs.debian.org

Cc: kyzer@cabextract.org.uk

Subject: Re: Bug#868956: libmspack: CVE-2017-11423

Date: Sun, 23 Jul 2017 16:52:16 +0100

Hello,

I have no more infomation than you do. If you can find out who raised 
the issue, please ask them to send me the example of the crafted file,

The bug says "stack-based buffer over-read and application crash" - the 
file 
https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul/stack-overflow 
doesn't show an application crash, it shows only the stack-based buffer 
over-read of 1 byte.

I've know about that one-byte buffer over-read, I fixed it in 2015, and 
I haven't yet got around to making a release of libmspack with this fix, 
because I didn't consider it a vulnerability at the time and still don't 
consider it one now.

https://github.com/kyz/libmspack/commit/3e3436af6010ac245d7a390c6798e2b81ce09191
> 2015-05-10  Stuart Caie <kyzer@4u.net>
>     * cabd_read_string(): correct rejection of empty strings. Thanks to
>     Hanno Böck for finding the issue and providing a sample file.

I had a philosophical discussion with Hanno Böck about it, I wasn't 
persuaded that it's a real vulnerability. If you craft a CAB file with 
an empty CAB string, one byte will be overread. You can't make it 
over-read an arbitrary number of bytes, just the empty string -> 1 byte 
overread.

This report says "and application crash" -- I still have no evidence 
this is true (unless you've instrumented your code to monitor all 
overreads and deliberately crash yourself when you see one). If you want 
me to release libmspack to address a CVE created for a 
non-vulnerability, please let me know.

Regards
Stuart

On 23/07/17 16:17, Marc Dequènes (duck) wrote:
> Quack,
>
> I added libmspack's upstream author in case he could give a hand.
> Here is the bugreport: 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868956
>
> On 2017-07-20 05:15, Salvatore Bonaccorso wrote:
>
>> Unfortunately the upstream bug [1] is locked-down.
>
> Thanks for reporting it. Unfortunately I don't see how I can solve 
> this problem. If all information are hidden on a related but not 
> upstream bug tracker (which really should have one), if there's no 
> patch or new release either, then I'm honestly at a loss.
>
> If I happen to create an account on the ClamAV's bug tracker, would 
> you be able to give me access?
>
> Regards.
> \_o<
>

Message #22 received at 868956@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: Stuart Caie <kyzer@cabextract.org.uk>

Cc: duck@duckcorp.org, Salvatore Bonaccorso <carnil@debian.org>, 868956@bugs.debian.org, pkg-clamav-devel@lists.alioth.debian.org

Subject: Re: Bug#868956: libmspack: CVE-2017-11423

Date: Fri, 4 Aug 2017 08:40:10 +0200

On 2017-07-23 16:52:16 [+0100], Stuart Caie wrote:
> Hello,
Hi Stuart,

> https://github.com/kyz/libmspack/commit/3e3436af6010ac245d7a390c6798e2b81ce09191
> > 2015-05-10  Stuart Caie <kyzer@4u.net>
> >     * cabd_read_string(): correct rejection of empty strings. Thanks to
> >     Hanno Böck for finding the issue and providing a sample file.
> 
> I had a philosophical discussion with Hanno Böck about it, I wasn't
> persuaded that it's a real vulnerability. If you craft a CAB file with an
> empty CAB string, one byte will be overread. You can't make it over-read an
> arbitrary number of bytes, just the empty string -> 1 byte overread.
> 
> This report says "and application crash" -- I still have no evidence this is
> true (unless you've instrumented your code to monitor all overreads and
> deliberately crash yourself when you see one). If you want me to release
> libmspack to address a CVE created for a non-vulnerability, please let me
> know.

let me try to bring some light into it. First clamav fixed the issue via:
  https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13
  https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96

and the read function was crafted by the author of this email and looks
like this:
  https://sources.debian.net/src/clamav/0.99.2%2Bdfsg-6/libclamav/libmspack.c/#L125

The way I see it, the problem is that the read functions returns -1 on
error and libmspack
  https://sources.debian.net/src/libmspack/0.5-1/mspack/cabd.c/#L524

treats the return code as unsigned integer which makes the error (-1)
slightly large. The test files cabd_memory.c and multifh.c also return
-1 on error.

> Regards
> Stuart

Sebastian

Message #27 received at 868956@bugs.debian.org (full text, mbox, reply):

From: Stuart Caie <kyzer@cabextract.org.uk>

To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Cc: duck@duckcorp.org, pkg-clamav-devel@lists.alioth.debian.org, 868956@bugs.debian.org, Stuart Caie <kyzer@cabextract.org.uk>, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#868956: libmspack: CVE-2017-11423

Date: Sat, 05 Aug 2017 10:36:49 +0100

On 4 Aug 2017 7:40 am, Sebastian Andrzej Siewior <sebastian@breakpoint.cc> wrote:
>
> The way I see it, the problem is that the read functions returns -1 on 
> error and libmspack 
>   https://sources.debian.net/src/libmspack/0.5-1/mspack/cabd.c/#L524 
>
> treats the return code as unsigned integer which makes the error (-1) 
> slightly large. The test files cabd_memory.c and multifh.c also return 
> -1 on error.

Good catch. That's a new bug I hadn't seen before.

mspack_system.read promises to return negative numbers: https://www.cabextract.org.uk/libmspack/doc/structmspack__system.html#ac33dcc54409a7d5da9be475b3938101e

libmspack is wrong to convert to unsigned without checking for errors first.

When I get to my computer, I'll check all calls to mspack_system read/write/seek/tell methods, to be sure this doesn't happen anywhere else.

I'll put out a fix ASAP, but the good news is this seems tricky to exploit. You need to get read() to return an error, not bytes or EOF. The default mspack_system uses fread(), so it couldn't be done there just by file contents. Custom mspack_systems need to exploitable enough to reach the core bug, so not all libmspack usages are vulnerable.

Regards
Stuart

Message #32 received at 868956@bugs.debian.org (full text, mbox, reply):

From: Stuart Caie <kyzer@cabextract.org.uk>

To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Cc: duck@duckcorp.org, pkg-clamav-devel@lists.alioth.debian.org, 868956@bugs.debian.org, Stuart Caie <kyzer@cabextract.org.uk>, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#868956: libmspack: CVE-2017-11423

Date: Sun, 6 Aug 2017 10:22:11 +0100

On 05/08/17 10:36, Stuart Caie wrote:
> libmspack is wrong to convert to unsigned without checking for errors first.
>
> When I get to my computer, I'll check all calls to mspack_system read/write/seek/tell methods, to be sure this doesn't happen anywhere else.
I checked all the other mspack_system calls, they're handled correctly.

Commited a fix: 
https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38

I'll put out a release in the near future.

Before fix, allowing N reads before always failing in cabd_memory.c 
sys->read():
Allow 3 reads -> mspack/cabd.c:528 (cabd_read_string) len=4294967295
Allow 4 reads -> mspack/cabd.c:528 (cabd_read_string) len=193
Allow 5 reads -> mspack/cabd.c:528 (cabd_read_string) len=193 
mspack/cabd.c:528 (cabd_read_string) len=4294967295
Allow 6 reads -> mspack/cabd.c:528 (cabd_read_string) len=193 
mspack/cabd.c:528 (cabd_read_string) len=169

After fix:
Allowing 3 reads -> error caught and no len printed
Allowing 4 reads -> mspack/cabd.c:531 (cabd_read_string) len=193
Allowing 5 reads -> mspack/cabd.c:531 (cabd_read_string) len=193, error 
caught and no len printed
Allowing 6 reads -> mspack/cabd.c:531 (cabd_read_string) len=193 
mspack/cabd.c:531 (cabd_read_string) len=169

Regards
Stuart

Message #37 received at 868956@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: Stuart Caie <kyzer@cabextract.org.uk>, duck@duckcorp.org

Cc: pkg-clamav-devel@lists.alioth.debian.org, 868956@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#868956: libmspack: CVE-2017-11423

Date: Sun, 6 Aug 2017 21:22:31 +0200

On 2017-08-06 10:22:11 [+0100], Stuart Caie wrote:
> Commited a fix: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38
> 
> I'll put out a release in the near future.

thank you Stuart.
Marc do plan you upload something to unstable/security soon, wait for a
new release or would you prefer someone else to NMU it with this
change?

> Regards
> Stuart

Sebastian

Message #42 received at 868956@bugs.debian.org (full text, mbox, reply):

From: Stuart Caie <kyzer@cabextract.org.uk>

To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, Stuart Caie <kyzer@cabextract.org.uk>, duck@duckcorp.org

Cc: pkg-clamav-devel@lists.alioth.debian.org, 868956@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#868956: libmspack: CVE-2017-11423

Date: Sun, 13 Aug 2017 22:29:01 +0100

For your information, libmspack 0.6alpha has now been released.

On 06/08/17 20:22, Sebastian Andrzej Siewior wrote:
> On 2017-08-06 10:22:11 [+0100], Stuart Caie wrote:
>> Commited a fix: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38
>>
>> I'll put out a release in the near future.
> thank you Stuart.
> Marc do plan you upload something to unstable/security soon, wait for a
> new release or would you prefer someone else to NMU it with this
> change?
>
>> Regards
>> Stuart
> Sebastian

Message #47 received at 868956@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (Duck) <duck@duckcorp.org>

To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, 868956@bugs.debian.org, Stuart Caie <kyzer@cabextract.org.uk>

Cc: pkg-clamav-devel@lists.alioth.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#868956: libmspack: CVE-2017-11423

Date: Tue, 15 Aug 2017 05:55:49 +0900

[Message part 1 (text/plain, inline)]

Quack,

On 08/07/2017 04:22 AM, Sebastian Andrzej Siewior wrote:

> Marc do plan you upload something to unstable/security soon, wait for a
> new release or would you prefer someone else to NMU it with this
> change?

I was at DebConf in Canada, so I was busy meeting people :-).
It should be done before or after flying back home.

\_o<

[signature.asc (application/pgp-signature, attachment)]

Message #52 received at 868956-close@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (Duck) <Duck@DuckCorp.org>

To: 868956-close@bugs.debian.org

Subject: Bug#868956: fixed in libmspack 0.6-1

Date: Mon, 14 Aug 2017 23:04:15 +0000

Source: libmspack
Source-Version: 0.6-1

We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated libmspack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 15 Aug 2017 06:08:38 +0900
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-doc
Architecture: source amd64 all
Version: 0.6-1
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
 libmspack-dev - library for Microsoft compression formats (development files)
 libmspack-doc - library for Microsoft compression formats (documentation)
 libmspack0 - library for Microsoft compression formats (shared library)
Closes: 868956 871263
Changes:
 libmspack (0.6-1) unstable; urgency=medium
 .
   * New upstream release:
     + Fix CVE-2017-6419 (Closes: #871263)
     + Fix CVE-2017-11423 (Closes: #868956)
   * Fix building documentation.
   * Use HTTPS in package metadata.
   * Transition to automatic debug packages.
   * Package now conforms to Standards-Version 4.0.0.
   * Switch to compat level 10.
Checksums-Sha1:
 abfa82db355a34ccd5ee4f223c619c31f605b3c9 2026 libmspack_0.6-1.dsc
 1e616315aeee95fc0140bdfd6e342a3706688d44 476992 libmspack_0.6.orig.tar.gz
 47ce28652edf6aa3422386a23e11c2afaef03901 2932 libmspack_0.6-1.debian.tar.xz
 6cda305044695ddfbfb4b8556791510c04261a85 64042 libmspack-dev_0.6-1_amd64.deb
 9a15aae2b181ce2c534199400d2279a4cfd52720 323278 libmspack-doc_0.6-1_all.deb
 ca56b2331a000fa008ab02567448df487e0a0c5b 78180 libmspack0-dbgsym_0.6-1_amd64.deb
 1000c0c78db81e54086fcf76ff3639df9a402ed9 45922 libmspack0_0.6-1_amd64.deb
 3aaec626eb5d086d579d06edfafaf85c81dae160 6208 libmspack_0.6-1_amd64.buildinfo
Checksums-Sha256:
 d60b99aeaffe40371374eaf89a0eccc4cd388819b1ff698c896b5b430bfcc2a0 2026 libmspack_0.6-1.dsc
 1edbee82accb28e679ab538f803aab7a5a569e4102ccf1715b462b1bd915f921 476992 libmspack_0.6.orig.tar.gz
 d99333e354f66275033867690f8c60f36d19c7299ca60abd0c79f5a0dec4afaa 2932 libmspack_0.6-1.debian.tar.xz
 44298281b906ba1e08090c8662ef14fd0ccd3a800d3ebc63bcffd490897b5d0c 64042 libmspack-dev_0.6-1_amd64.deb
 0bab83264b3446927fb9b257ac03c427455d30f1f5048fb58611354375c4e8cd 323278 libmspack-doc_0.6-1_all.deb
 babdc78285bdbf692023e2e764055b39491c22f412f79d85858fc252673a3efb 78180 libmspack0-dbgsym_0.6-1_amd64.deb
 eee2940b06096b4abe70cc03ce096e94f2240e28ab4996b827bca1612a583397 45922 libmspack0_0.6-1_amd64.deb
 c1c7e198d874418ddc9c5442c9bf9dee443f4ff900ce60e6a6a2de5d0c6b8c68 6208 libmspack_0.6-1_amd64.buildinfo
Files:
 0e91f7ef773ae3f0be502a3a99840a11 2026 libs optional libmspack_0.6-1.dsc
 ec1a4585178ef029d46475aef1462852 476992 libs optional libmspack_0.6.orig.tar.gz
 31791878074789c554183f9a6fdb9523 2932 libs optional libmspack_0.6-1.debian.tar.xz
 2eb3301f4264856ef379628b74361dca 64042 libdevel optional libmspack-dev_0.6-1_amd64.deb
 4fa55856174e099142b92321c50b7aa8 323278 doc optional libmspack-doc_0.6-1_all.deb
 f8107bc1dba0598cb7179f1f724ba4ef 78180 debug extra libmspack0-dbgsym_0.6-1_amd64.deb
 fb12e2d00f7deeb0ae918ff136d64f0a 45922 libs optional libmspack0_0.6-1_amd64.deb
 f1b8ac35ccda02b395b211568c28de76 6208 libs optional libmspack_0.6-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAlmSKZcACgkQVen596wc
RD/cmRAAwtBVqNntosWFUaMl4U8BqAmKDgyD5vvIVdG0XSXXfAAqncOXQkrCgh4H
H3YyEhyq+laOQp/s4AFuNIXDMYy+fBSSodjRifeXjOYjLuZDKUXsr+K/PMC4VpOk
3BKZ2od3cxmnHFTGFO6PPedpWGOCYiE6MiBTrZrzYBhRbeLTHuoOfM9FN94iCRCH
cq9iGx4VJCBlV5rYjcBuS5rYUj5iaJ6X6F2fEh7eOd3q8QsskYlizAfvu8YwgrTi
smFtvJPLYhPZASA3ReRHEF8N3LQBcz25J0zEZJ1VzDlTEiMmflemfV8h5+PnlpG4
4ElP7GEKz5t73zPlRuyF2MpNtGbSP8rRPFtt5nqAuOTuERDUn/bwp6Hq1gnXVDwx
zylKx1oA/KZU9fi2fETqOEnAsNr2uunwrjh8F68yI8yb9H8zjK2gRTw1/jHHzzse
PXSOdDTye5fg+RZN0OpPrI9I6CKt2TiUYRRktOXBUMVJn0YdBxb4z0a4FhAya5cj
VDY+s/2q1lgtqoK1iDQB4/V9yxuq6VKFR53RJGkte/p6F0aEwyC5MQ3KYiAfBiRJ
ac2NRu9zbukfB6UX2WZf3IG7Z8HrO2MD1FPgLPnSXwORRJxyzVznowiREaldheb6
7l+XNxrgOB68O4t4a2M0u76EzZiGFl+UATHpJudJWZMQW8o1zG8=
=9uFO
-----END PGP SIGNATURE-----

Message #57 received at 868956@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: Marc Dequènes (Duck) <duck@duckcorp.org>

Cc: 868956@bugs.debian.org, pkg-clamav-devel@lists.alioth.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#868956: libmspack: CVE-2017-11423

Date: Tue, 15 Aug 2017 08:30:23 +0200

On 2017-08-15 05:55:49 [+0900], Marc Dequènes (Duck) wrote:
> Quack,
Hi,

> I was at DebConf in Canada, so I was busy meeting people :-).
> It should be done before or after flying back home.

No worries. We got the two CVEs sorted out and a release in the
meantime. I see an unstable upload almost made it (B-D doxygen missing).
And we need a security upload.
> \_o<
> 

Sebastian

Message #62 received at 868956-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: 868956-close@bugs.debian.org

Subject: Bug#868956: fixed in libmspack 0.5-1+deb9u1

Date: Tue, 22 Aug 2017 21:47:18 +0000

Source: libmspack
Source-Version: 0.5-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated libmspack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 16 Aug 2017 21:42:50 +0200
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source all
Version: 0.5-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Description:
 libmspack-dbg - library for Microsoft compression formats (debugging symbols)
 libmspack-dev - library for Microsoft compression formats (development files)
 libmspack-doc - library for Microsoft compression formats (documentation)
 libmspack0 - library for Microsoft compression formats (shared library)
Closes: 868956 871263
Changes:
 libmspack (0.5-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload.
   * Correct rejection of empty strings.
   * Fix mis-handling of sys->read() errors in cabd_read_string()
     (CVE-2017-11423) (Closes: #868956).
   * Reject negative output length in SpanInfo (CVE-2017-6419)
     (Closes: #871263).
Checksums-Sha1:
 8118405773ef8356fe520737058fbf95d17117ed 2106 libmspack_0.5-1+deb9u1.dsc
 226f19b1fc58e820671a1749983b06896e108cc4 654193 libmspack_0.5.orig.tar.gz
 4babb832b2773e12567b274de585ba2a9e7d8c67 5144 libmspack_0.5-1+deb9u1.debian.tar.xz
 dc60b25fbf123af558558eca9d42d07eeb5d401e 100468 libmspack-doc_0.5-1+deb9u1_all.deb
 223aaec089b4b2981c25d8bf97018e527504774b 5514 libmspack_0.5-1+deb9u1_all.buildinfo
Checksums-Sha256:
 310bd4b82727a872fe4501178858384843047b6068eca999d95d079f57d76499 2106 libmspack_0.5-1+deb9u1.dsc
 8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110 654193 libmspack_0.5.orig.tar.gz
 5684fef2fb4dcef3440a04bfb2fcb2add4eb1cafab157b7e0f6fe623d7a2c484 5144 libmspack_0.5-1+deb9u1.debian.tar.xz
 b5a7aff16ae33e3b8ab74e2a7f249567908d1b32af63a31c7ea0309f7b142033 100468 libmspack-doc_0.5-1+deb9u1_all.deb
 b175d977c70110889a4f5f70fb6723a42d52fb9d308434a25946fc2ef32fdc56 5514 libmspack_0.5-1+deb9u1_all.buildinfo
Files:
 396bdf2547bb0b30d16b472e83d6a3b0 2106 libs optional libmspack_0.5-1+deb9u1.dsc
 3aa3f6b9ef101463270c085478fda1da 654193 libs optional libmspack_0.5.orig.tar.gz
 9ff4024c162377ea097e4bb2ae44d85f 5144 libs optional libmspack_0.5-1+deb9u1.debian.tar.xz
 a517717857cb8d9b933fa156f4e24445 100468 doc optional libmspack-doc_0.5-1+deb9u1_all.deb
 dbf7fd58a7820d7024a987819700eb86 5514 libs optional libmspack_0.5-1+deb9u1_all.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAlmV7rYACgkQT+XjJihy
5MzIeA//YVNHDJ/Yp/ebskbodbsSO5z0Dyb/5M/Z41kJWnVd5v541YkIZiEQC3tW
8N3a0sXdYH/x8MMHyU7itHdYU2G5vnh0Th5KXFVTL1lIkCoiOX7779O/XqUeAAwq
gJ95e7s4ASgMn+h4vliTtbe4nE8Rj9PbSTcdA+hhB6UssMbH9fTMt6SghTMNBFY3
H0xNZlr7jidA5olqXe/I9mviuAAl6CzenUWe8ePW5EnZIfusZ9ladcs/pYhpWJII
yEa7aA+Igjfme4i0OodDDEEt3cJqEyyM5IeqmGHoBEmOhSQc3zawHt6CRZ5nWETR
bnFIdaZb5aBV6g1ykBZUeli1Q6CNHueTxUOJEdC2C5kXK7/I1snnRssJW/jpcLhX
Y8geQZN0f0EmZjVdRT/4rtl/fAAqS3xst5YFyoPEarnGbAUcLuuX6lOSbGjcQcdQ
ldXYJ4/3Wd5JwCYTHW68rwbDXYq+vsEX/gBPpnQeNAaLcaxUPIgd+dMbcAIxfDXv
AzcAqe1dJ/dFyV+/PowKqrA4uXyT6C/jTjkG5UWD5ZJU3eXuSl4/6/e/OOpc2gQo
inq6JhcFRD9qCx9dD7fXp3b5pzXElGxDS1ODGBS1R+GaqjxFmqX6OuiCYkbacko4
ECoKjbyQ+g3/F50R4J2YwuQx1R/dGzc+EtTo7Ei76kfNuch4fuc=
=oXra
-----END PGP SIGNATURE-----

Message #67 received at 868956-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: 868956-close@bugs.debian.org

Subject: Bug#868956: fixed in libmspack 0.5-1+deb8u1

Date: Tue, 22 Aug 2017 21:48:34 +0000

Source: libmspack
Source-Version: 0.5-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated libmspack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 16 Aug 2017 21:42:50 +0200
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source amd64 all
Version: 0.5-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Description:
 libmspack-dbg - library for Microsoft compression formats (debugging symbols)
 libmspack-dev - library for Microsoft compression formats (development files)
 libmspack-doc - library for Microsoft compression formats (documentation)
 libmspack0 - library for Microsoft compression formats (shared library)
Closes: 868956 871263
Changes:
 libmspack (0.5-1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload.
   * Correct rejection of empty strings.
   * Fix mis-handling of sys->read() errors in cabd_read_string()
     (CVE-2017-11423) (Closes: #868956).
   * Reject negative output length in SpanInfo (CVE-2017-6419)
     (Closes: #871263).
Checksums-Sha1:
 0f0eeda3692a12a2ba912733b96c72c6e190295a 2106 libmspack_0.5-1+deb8u1.dsc
 42df94afb1e167e1334b92cded4e86c0b6568823 5148 libmspack_0.5-1+deb8u1.debian.tar.xz
 5d53a8c460e28223ad680154451f21794e5811a5 47170 libmspack0_0.5-1+deb8u1_amd64.deb
 ff8fe69a3e7ac2e1a67e3be3583b5002757158b7 65516 libmspack-dev_0.5-1+deb8u1_amd64.deb
 66cd4083789e01458c19f928c5576995dfe07aab 84436 libmspack-dbg_0.5-1+deb8u1_amd64.deb
 4aae4ac61a56bfc7d30e9195d13bd19f5b290712 100766 libmspack-doc_0.5-1+deb8u1_all.deb
Checksums-Sha256:
 4c0d570bee1de45c801dd2fc745c4fa56131a206ab1edab49e7407942f7d8387 2106 libmspack_0.5-1+deb8u1.dsc
 c7ad3df9c6401cbc075acba4519a5fb312183c83154834d52408ce8455e76db8 5148 libmspack_0.5-1+deb8u1.debian.tar.xz
 c5efdde1b92633dc3c6b65bbe197bd9cdf5c1748b98f465a29c582602fd3cff4 47170 libmspack0_0.5-1+deb8u1_amd64.deb
 0578c9ff8f5f6ff6732769a588595c82850ae83a8379ba3e92df3514d7bd8fd3 65516 libmspack-dev_0.5-1+deb8u1_amd64.deb
 7597553486ec11b6fc583468bc85b822ab538a3eb3e14a6193aab36793f13542 84436 libmspack-dbg_0.5-1+deb8u1_amd64.deb
 8e04f2a37878279060657d4af01ddb4b8a27b30e2656e408e57eecefd80bac29 100766 libmspack-doc_0.5-1+deb8u1_all.deb
Files:
 b5bcf260629f0c2c6884d8b1b1877f55 2106 libs optional libmspack_0.5-1+deb8u1.dsc
 be04a3ce310a729c35f5fdb666655373 5148 libs optional libmspack_0.5-1+deb8u1.debian.tar.xz
 86d7f1928a14eca61d5619eb42a17ff1 47170 libs optional libmspack0_0.5-1+deb8u1_amd64.deb
 b1677eff105b2c8238f7d119d16f4a1e 65516 libdevel optional libmspack-dev_0.5-1+deb8u1_amd64.deb
 54826f304dd902d6e78909f39994bd05 84436 debug extra libmspack-dbg_0.5-1+deb8u1_amd64.deb
 66e14a51927a4c22a8d2f3b01ad53123 100766 doc optional libmspack-doc_0.5-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAlmV7uAACgkQT+XjJihy
5My7oA/+JNfHZouLWnAcOQKvyF2s4RiEADz4mx5Lb/s5vtnfUJMwzhS1nK7sPViu
amy2SlSBlCkkscKKVdpCilcTJJeNNHMwXuaLXJDrohA0T3gz6TbG2QlnwiS0BU5x
KOXqYy1OCMuPPH3kG/715u4aod6cJLWUPjD+/uNd16PQjhQ+Z/3321iYfo1er/q3
xFwfom3ZmcdXxGl+dQ4cdKNBxhpWUP19Tt19Gwg/tojnfEnm1sNtgrwP9E/nAfMn
5UKO7oNzBpQAl1MZzA6TcfWqf+YAFl8ciNlCYqYxDb7qiFyEPtTWWtxlwDDE7DNa
DHc9vSd9psinIUzKNabkIdwYWRK4SOqNESRxDVn1Imdjqj5tuvVRsMS3qWL7HjFS
z/9EIYxpUG2b1IsUP1xXF5SKNtMFzNwhC2YU/STXHWgZb4rwig3tg19XBGKVi2Ei
fRPJd2+ixeSOXVnn2yHuNRCjEfjDaAC7BwTbteOaeKtLWtGgyvjkfCg0qmxcyrrn
xDuU0TIhdLaSayL5vsnf7lCv88FB82t7jhHs5hBaWHAmRjmP+aCT2/PQn0ZbVcAu
jyj7BYdLc+0XU8M/fzF949il04BCjOVuPlyCzCSp1hoHFQwovnnN/MIpmXLdFfHa
X5DFUlhsb3DxBiWrED4NL++C9v1LeXgOwlpB6Qk/yTmVy1Wki00=
=HQH1
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.