{"id":"CVE-2018-14681","details":"An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite.","modified":"2026-04-16T01:40:39.990471150Z","published":"2018-07-28T23:29:00.343Z","related":["SUSE-SU-2018:3250-1","SUSE-SU-2018:3436-1","SUSE-SU-2018:3436-2","SUSE-SU-2018:3441-1","SUSE-SU-2021:2765-1","SUSE-SU-2021:2802-1","openSUSE-SU-2021:1200-1","openSUSE-SU-2021:2802-1","openSUSE-SU-2024:10958-1"],"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2018/07/26/1"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1041410"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3327"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3505"},{"type":"ADVISORY","url":"https://bugs.debian.org/904799"},{"type":"ADVISORY","url":"https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00007.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201903-20"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3728-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3728-2/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3728-3/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3789-2/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4260"},{"type":"REPORT","url":"https://bugs.debian.org/904799"},{"type":"FIX","url":"https://bugs.debian.org/904799"},{"type":"FIX","url":"https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2018/07/26/1"},{"type":"ARTICLE","url":"https://bugs.debian.org/904799"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00007.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kyz/libmspack","events":[{"introduced":"0"},{"fixed":"0b0ef9344255ff5acfac6b7af09198ac9c9756c8"}]}],"versions":["v0.0.20060920alpha","v0.3alpha","v0.4alpha","v0.5alpha","v0.6alpha","v1.0","v1.1","v1.2","v1.3","v1.4","v1.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-14681.json","vanir_signatures":[{"target":{"file":"libmspack/mspack/kwajd.c"},"deprecated":false,"signature_version":"v1","signature_type":"Line","id":"CVE-2018-14681-ebb257ff","digest":{"line_hashes":["264125639601368245136278382040962299940","334718959738228674956836817475169085946","129263725176395171497904630117284598573","136055985965663008756139860224137290491","146921429704295347375559488414009961315","144048888467957435751834250567563075182","111846584464331271926986855392744924426","203836619199442944830654375939473252323","81676947660109281998418610702684930460","298075990359636591353990776340018337053","291184430367398170553833683326145169146","265994721061227409424378697157226067255","282128057683887539700009755939422265141","145568330504166830716940528839867775308","47732878296738844481897533567175310364","296738990979170437360220607543689989228","310121185771599670866381063311104525529","274428706265141814401783177908660083895","71631741594013791888316882536923655880","126237243167368149135907565162241690162","134367768589457487684380498779829148207"],"threshold":0.9},"source":"https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8"},{"target":{"function":"kwajd_read_headers","file":"libmspack/mspack/kwajd.c"},"signature_type":"Function","deprecated":false,"digest":{"length":2697,"function_hash":"9188850034302970685971634658391947089"},"id":"CVE-2018-14681-f0630062","signature_version":"v1","source":"https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8"}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}