Debian Bug report logs -
#904799
libmspack: CVE-2018-14681: kwaj_read_headers(): fix handling of non-terminated strings
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 28 Jul 2018 07:33:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version libmspack/0.5-1
Fixed in versions libmspack/0.7-1, libmspack/0.5-1+deb9u2
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, sebastian@breakpoint.cc, team@security.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#904799; Package src:libmspack.
(Sat, 28 Jul 2018 07:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, sebastian@breakpoint.cc, team@security.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>.
(Sat, 28 Jul 2018 07:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Version: 0.5-1
Severity: important
Tags: patch security upstream
Cf. http://www.openwall.com/lists/oss-security/2018/07/26/1
https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8
Filling as individual bugs as no CVEs are yet assigned.
Regards,
Salvatore
Changed Bug title to 'libmspack: CVE-2018-14681: kwaj_read_headers(): fix handling of non-terminated strings' from 'libmspack: kwaj_read_headers(): fix handling of non-terminated strings'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Jul 2018 19:06:04 GMT) (full text, mbox, link).
Reply sent
to Marc Dequènes (Duck) <Duck@DuckCorp.org>:
You have taken responsibility.
(Sun, 29 Jul 2018 17:51:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 29 Jul 2018 17:51:13 GMT) (full text, mbox, link).
Message #12 received at 904799-close@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Source-Version: 0.7-1
We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 904799@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated libmspack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Jul 2018 18:53:39 +0900
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-doc
Architecture: source amd64 all
Version: 0.7-1
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
libmspack-dev - library for Microsoft compression formats (development files)
libmspack-doc - library for Microsoft compression formats (documentation)
libmspack0 - library for Microsoft compression formats (shared library)
Closes: 904799 904800 904801 904802
Changes:
libmspack (0.7-1) unstable; urgency=medium
.
* NUR:
+ fix CVE-2018-14679 (Closes: #904802)
+ fix CVE-2018-14680 (Closes: #904801)
+ fix CVE-2018-14682 (Closes: #904800)
+ fix CVE-2018-14681 (Closes: #904799)
* Add lintian exception for source-contains-prebuilt-ms-help-file in
the test files.
Checksums-Sha1:
18d35ea175691789de00069ec6a9b1db6f671a78 2012 libmspack_0.7-1.dsc
47d03d757c1cc22fa1203bf6ca1f54af4d181038 486173 libmspack_0.7.orig.tar.gz
e65075626cf638732ff35132f4d71cb98fd3f426 3284 libmspack_0.7-1.debian.tar.xz
2df340065a4238eacea9d23c9a8283d63d58aef4 64748 libmspack-dev_0.7-1_amd64.deb
d561b9a2e758240918f5ceb38eb2a9eea79d78ee 327564 libmspack-doc_0.7-1_all.deb
8867f9b388b036fb176d61cfb3a2e6cb2311ddd7 98016 libmspack0-dbgsym_0.7-1_amd64.deb
b9c37951521be4a50e6bdde208cdfebe5a90dee0 46608 libmspack0_0.7-1_amd64.deb
b4614ef307b23a34c9a569ee636982ff7f7967c7 7589 libmspack_0.7-1_amd64.buildinfo
Checksums-Sha256:
3a0039223e16f3c8674a3d71c675643caf71e96d6efcc1f6049226d1ccc398fd 2012 libmspack_0.7-1.dsc
d34932c05dd33bf45f2b8987c3bfb3dc1aaf2eb41d474b1f8cc184d4be782aea 486173 libmspack_0.7.orig.tar.gz
cc080e9781fb3c96bbd410f4bba205ce5a09f873959c4cae18a190d85e3cafaf 3284 libmspack_0.7-1.debian.tar.xz
a5505447a446faff9bc2d6700bcc4d21a7a22a9168e72df7b152748e7093571c 64748 libmspack-dev_0.7-1_amd64.deb
553111e56dad809f3ed34b40fded7bf2ab59480b4c1d0f327bd4f735f12aa50b 327564 libmspack-doc_0.7-1_all.deb
67a4e39f3381e6dc8e07a07fb658bae06b730c84e3257f7d18a271a01eb10744 98016 libmspack0-dbgsym_0.7-1_amd64.deb
e0a1fa4491199e54ef8e57b425864f6a03bf210041bb2dec157eca3834f30f39 46608 libmspack0_0.7-1_amd64.deb
135ec5d7f6cafbca43e6093f7a7cb4141a9e97a5f5370a84207ae446795e92f9 7589 libmspack_0.7-1_amd64.buildinfo
Files:
66bc7385cc9b35f7fb03c71ed79b36dd 2012 libs optional libmspack_0.7-1.dsc
360580ffaa57245a0fd0189b7dad175c 486173 libs optional libmspack_0.7.orig.tar.gz
61c1c35be47fb6aec52344b8cee79f7b 3284 libs optional libmspack_0.7-1.debian.tar.xz
ce4df67f1a2b3a6d139ecfbd14719d09 64748 libdevel optional libmspack-dev_0.7-1_amd64.deb
1586366e34c3706db06f25972b3acfe6 327564 doc optional libmspack-doc_0.7-1_all.deb
a95f7390ffc2d0d9ce0e70eb3b2d8976 98016 debug optional libmspack0-dbgsym_0.7-1_amd64.deb
b06ce0a148921d95611a130b51df9605 46608 libs optional libmspack0_0.7-1_amd64.deb
eda9a81ab27acbaac26bc32dd733b83e 7589 libs optional libmspack_0.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAltd9+YACgkQVen596wc
RD8law//YyPWNHkjg1Tc7Sf3MpJZcbh56SMZJUNFkYIxu6XaobFCswS8fOWzAYNy
sOxpdxYsGh0G4j1iHoJqaQf4Pp/CRVoxnVLfV/CKpuS4YhHuGf0swXtzehN9YQGS
DrjkRQ0uxiRHMIoB1PGz+QBTZd7u9YI25AABFBY0USr2CEYud28oqMAVeZ7MUQAK
fSdu4RMRRB9IaraNy3fn+hdMF03NEG2cu8TJtuiCUvgqGfrqagn4o/5q7gCwhCpu
opTw9fmZBvaLAmCqd69928EM9oPFczqPpivX6s7wIz2vuKmL21x5GW8ocr7mmVZW
yYbcTsIuZ4wnfs7j92swQjK6jqm7p+rSCMEHO/G7ko00IIxwqp3RKKQ9XIY5vBkc
k/SvYFSjV2oiZXn1WNiYhZbuieD5NI+7pkVhGek3B3axyKPHXxv1tfOswV/MzH+g
jZ30diCA58U+G8rSwkaA1Age/9q+lCNlLMVYcBMOXTiQdcwwLf0bmC+ik0APkgAN
zFdqBJ0e+KnfgJEtMOsQdMiO8HirKzQq3E63q4oyac78umvKIC9kyO8ee8FbXhxK
vh0AjUKx14I/jFLc91UT/GLz9K32hoLmZLVL5KOiQzb2XHsjqfK5ZAR46A06w7dj
HY9MgHPJL1xzQ6RDjw4r/0uJMWrqgKTZ+N0HI6gtL3JoOqoLI9I=
=9LyR
-----END PGP SIGNATURE-----
Reply sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
You have taken responsibility.
(Sat, 04 Aug 2018 20:39:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 04 Aug 2018 20:39:12 GMT) (full text, mbox, link).
Message #17 received at 904799-close@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Source-Version: 0.5-1+deb9u2
We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 904799@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated libmspack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Aug 2018 19:18:37 +0200
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source
Version: 0.5-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Description:
libmspack-dbg - library for Microsoft compression formats (debugging symbols)
libmspack-dev - library for Microsoft compression formats (development files)
libmspack-doc - library for Microsoft compression formats (documentation)
libmspack0 - library for Microsoft compression formats (shared library)
Closes: 904799 904800 904801 904802
Changes:
libmspack (0.5-1+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload.
* Add security related patches:
- 0b0ef9344255 ("kwaj_read_headers(): fix handling of non-terminated
strings") CVE-2018-14681 (Closes: 904799).
- 4fd9ccaa54e1 ("Fix off-by-one error in chmd TOLOWER() fallback")
CVE-2018-14682 (Closes: 904800).
- 72e70a921f0f ("Fix off-by-one bounds check on CHM PMGI/PMGL chunk
numbers and reject empty filenames.") CVE-2018-14679,
CVE-2018-14680 (Closes: 904802, 904801).
Checksums-Sha1:
5c9f0fbfedf31f1cd33e111a60e6c0c685ee096f 2106 libmspack_0.5-1+deb9u2.dsc
cc17071c87465b1a8264767583dd7b670abbf2b6 7124 libmspack_0.5-1+deb9u2.debian.tar.xz
fe512a9b15125f8394dcd4876559292f7cf94f0a 6116 libmspack_0.5-1+deb9u2_source.buildinfo
Checksums-Sha256:
e3fbbfed0730969d85c86b27b79e3dd4b6464bfa7ceba7c42b905c738ec6228a 2106 libmspack_0.5-1+deb9u2.dsc
ba4541e19644fa172eb7112cf4e1592935ada70dcff62bc678c8d6b464f27b23 7124 libmspack_0.5-1+deb9u2.debian.tar.xz
78818be2e122b1ff8eaac88ea05000e539c8a56246dace3b6233f0e1bd767846 6116 libmspack_0.5-1+deb9u2_source.buildinfo
Files:
6834b0ae397e7c36eab83fba42655fd4 2106 libs optional libmspack_0.5-1+deb9u2.dsc
d09b9886f5632e7ffe82fe0075293003 7124 libs optional libmspack_0.5-1+deb9u2.debian.tar.xz
e89db6738dc56a7826dbf6f9d32ff475 6116 libs optional libmspack_0.5-1+deb9u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAltjP0gACgkQT+XjJihy
5MyVhw//aeKT+0VC1b6C6mVdfSv+h4WS8dMuMNJglNow02Bue0w+xIK8RXa+I5Q2
WdKVJBs3wa4SxqhBqyJFqq5vP31tM99fDGgAPlttZrkkJ84YJFWF2MSGC3GV8zTQ
NHvZ3iIvw9xj6DxCWcQHX2uTfSAJD4HYY4+argiCkiq2kBHQcqvItSjh77gN6BYr
uPaPkU6826NXq3Nn15rvWtHBKPpFjTPiLQBNvNlEoZxgyQ67k/wPNT4kxScOUju+
UjK5UGuSPjS43d5i/eHFotvBvM47CjS5/8bKtVDjS9n92829MPsVF1w0+pd3aW9t
iXcEhnEIXeyPfBh4HZJzxV+isK6YDlxhLkC9wC3eA30Lw532AEXPRbwitGKug+bj
3GK31Gj6d9eQtrcNR9wuBncs00iPCTiZlDTA14SDRs12hHdd7z9+8cQRE6X2vYro
G5UTvJbioqY3hDlp27Rwyt0OjuaKzSwzN9FtzFaWjaAUNyb4Ss0CIWnnH+dqF3Us
W2LlNm+IpZPdyJMFX+4R0SXzwB4YlQNroSGPLzYPnONgWZguoHaVs9S61LWu2X++
W7Q1rgdWLy/2alR7z7xQNECVTt2bOrN8TRr03ZPuoCMBoF44ce5hXYyzvPxnylfG
K6rA7fkGBLwZrW636YrrdT9Fto6uGBF+t2sr5mEc9cj1GFB1BB8=
=uktX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Sep 2018 07:33:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:42:53 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon