{"id":"CVE-2017-6419","details":"mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file.","modified":"2026-05-15T05:33:16.555384Z","published":"2017-08-07T03:29:00.277Z","related":["SUSE-SU-2018:0254-1","SUSE-SU-2018:0255-1","SUSE-SU-2018:0809-1","SUSE-SU-2018:0863-1","openSUSE-SU-2024:10685-1","openSUSE-SU-2024:10958-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/02/msg00014.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3946"},{"type":"ADVISORY","url":"https://github.com/varsleak/varsleak-vul/blob/master/clamav-vul/heap-overflow/clamav_chm_crash.md"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201804-16"},{"type":"REPORT","url":"https://bugzilla.clamav.net/show_bug.cgi?id=11701"},{"type":"FIX","url":"https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cisco-talos/clamav","events":[{"introduced":"0"},{"fixed":"a83773682e856ad6529ba6db8d1792e6d515d7f1"}],"database_specific":{"source":"REFERENCES"}}],"versions":["clamav-0.97","clamav-0.97rc","clamav-0.96.5","clamav-0.96.4","clamav-0.96.3","clamav-0.96.2","clamav-0.96","clamav-0.96rc2","clamav-0.96rc1","merge-llvm-97877","r5076"],"database_specific":{"vanir_signatures":[{"digest":{"length":64,"function_hash":"105314170104537119795892195005646536883"},"id":"CVE-2017-6419-158e5c12","deprecated":false,"target":{"function":"mspack_fmap_free","file":"libclamav/libmspack.c"},"source":"https://github.com/cisco-talos/clamav/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1","signature_type":"Function","signature_version":"v1"},{"digest":{"length":179,"function_hash":"36425859503893486122199183962679951196"},"id":"CVE-2017-6419-2dff9d70","deprecated":false,"target":{"function":"lzxd_free","file":"libclamav/libmspack-0.5alpha/mspack/lzxd.c"},"source":"https://github.com/cisco-talos/clamav/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1","signature_type":"Function","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["136812049944724980978743740024966289697","239642238586611879435853196125623206467","40883855409387376279425001697949305055","207670088480332678768897160205840489720","137050635423474274304079970391599644070","256192828004486556560188961880269201204","92030697883542239907420004418267516576","133434634387658503944555526626693766626","57477167490934286654239258003596752208","299735408700367508640607568273422838006"]},"id":"CVE-2017-6419-3c94d9a1","deprecated":false,"target":{"file":"libclamav/libmspack-0.5alpha/mspack/lzxd.c"},"source":"https://github.com/cisco-talos/clamav/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1","signature_type":"Line","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["39213307635245385338061781708479438537","161293350000683804664213130242652150668","179719491279128692184227813514265352406","111485140398853709928158643894428398984"]},"id":"CVE-2017-6419-565b7fba","deprecated":false,"target":{"file":"libclamav/libmspack.c"},"source":"https://github.com/cisco-talos/clamav/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1","signature_type":"Line","signature_version":"v1"},{"digest":{"length":10410,"function_hash":"157883946808374614544341957531013484112"},"id":"CVE-2017-6419-d5ca588a","deprecated":false,"target":{"function":"lzxd_decompress","file":"libclamav/libmspack-0.5alpha/mspack/lzxd.c"},"source":"https://github.com/cisco-talos/clamav/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1","signature_type":"Function","signature_version":"v1"}],"vanir_signatures_modified":"2026-05-15T05:33:16Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-6419.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/kyz/libmspack","events":[{"introduced":"0"},{"last_affected":"03296dd44347ab3111ba23b8e3945e2b537b6275"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:libmspack_project:libmspack:0.5:alpha:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"0.5-alpha"}]}}],"versions":["v0.5alpha","v0.4alpha","v1.4","v0.3alpha","v1.3","v1.2","v0.0.20060920alpha","v1.1","v1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-6419.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}