Date: Mon, 22 Oct 2018 08:17:35 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Buffer overflow in cabextract/libmspack (Fwd: New cabextract 1.8 and libmspack 0.8 release) New cabextract and libmspack fix a buffer overflow. Notably libmspack is also used in clamav. Forwarding the release notes here: -------------------------- Hello all, cabextract 1.8 has been released. It greatly improves its ability to extract damaged files with the "-f" option, and the cabinfo command has been rewritten. It also fixes this bug: * if a CAB file has a Quantum-compressed datablock with exactly 38912 compressed bytes, cabextract will write exactly one byte beyond its input buffer. cabextract can be downloaded from https://www.cabextract.org.uk/ SHA256 sums: 2d9b5ba24239ba6eac02bdee6f2fa208bb4d0a14c84ed81792fc35c213140f38 cabextract-1.8-1.i386.rpm 54138e652fa0fa39e021d66b6315994f906cda965ddb786117f28276f135664e cabextract-1.8-1.src.rpm 082b8ec149babc9ae10b5d6568eb764c67e75c3cfc379b1211b88b980febebd7 cabextract-1.8.tar.gz libmspack 0.8alpha has also been released. It adds the new parameter MSCABD_PARAM_SALVAGE which permits salvaging badly damaged files rather than rejecting them outright. It fixes several bugs: * the above 38912-byte Quantum CAB block bug * libmspack now also rejects blank CHM filenames that are blank because they have embedded null bytes, not just because they are zero-length * chmextract now protects you from absolute/relative pathnames in CHM files libmspack can be downloaded from https://www.cabextract.org.uk/libmspack/ SHA256 sum: 0533792e9561375a5fce1bc96bbc65ec778af486e0daa3803b226da9244addaf libmspack-0.8alpha.tar.gz If you wish to patch an older version, please look at commits |8759da8, ||7cadd48 and ||40ef1b4 in the git repository.| Regards Stuart -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.