{"id":"MGASA-2018-0455","summary":"Updated libmspack/cabextract packages fix security vulnerabilities","details":"Hanno Böck discovered that libmspack incorrectly handled certain CHM\nfiles. An attacker could possibly use this issue to cause a denial of\nservice (CVE-2018-14679, CVE-2018-14680).\n\nJakub Wilk discovered that libmspack incorrectly handled certain KWAJ\nfiles. An attacker could possibly use this issue to execute arbitrary\ncode (CVE-2018-14681).\n\nDmitry Glavatskikh discovered that libmspack incorrectly certain CHM\nfiles. An attacker could possibly use this issue to execute arbitrary\ncode (CVE-2018-14682).\n\nIf a CAB file has a Quantum-compressed datablock with exactly 38912\ncompressed bytes, cabextract would write exactly one byte beyond its\ninput buffer (CVE-2018-18584).\n\nlibmspack didn't reject blank CHM filenames that are blank because they\nhave embedded null bytes, not just because they are zero-length\n(CVE-2018-18585).\n\nchmextract didn't protect from absolute/relative pathnames in CHM files\n(CVE-2018-18586).\n","modified":"2026-02-01T20:13:16.674179Z","published":"2018-11-17T22:23:26Z","related":["CVE-2018-14679","CVE-2018-14680","CVE-2018-14681","CVE-2018-14682","CVE-2018-18584","CVE-2018-18585","CVE-2018-18586"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0455.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23365"},{"type":"REPORT","url":"https://usn.ubuntu.com/3728-1/"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2018/10/22/1"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2018/10/23/11"}],"affected":[{"package":{"name":"libmspack","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/libmspack?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.9.1-0.alpha.1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0455.json"}},{"package":{"name":"cabextract","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/cabextract?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.9-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0455.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}