libmspack-devel-0.10.1-1.12 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10958-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libmspack-devel-0.10.1-1.12 on GA media These are all security issues fixed in the libmspack-devel-0.10.1-1.12 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10958 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-11423/ SUSE CVE CVE-2017-11423 page https://www.suse.com/security/cve/CVE-2017-6419/ SUSE CVE CVE-2017-6419 page https://www.suse.com/security/cve/CVE-2018-14679/ SUSE CVE CVE-2018-14679 page https://www.suse.com/security/cve/CVE-2018-14680/ SUSE CVE CVE-2018-14680 page https://www.suse.com/security/cve/CVE-2018-14681/ SUSE CVE CVE-2018-14681 page https://www.suse.com/security/cve/CVE-2018-14682/ SUSE CVE CVE-2018-14682 page openSUSE Tumbleweed libmspack-devel-0.10.1-1.12 libmspack0-0.10.1-1.12 libmspack0-32bit-0.10.1-1.12 mspack-examples-0.10.1-1.12 libmspack-devel-0.10.1-1.12 as a component of openSUSE Tumbleweed libmspack0-0.10.1-1.12 as a component of openSUSE Tumbleweed libmspack0-32bit-0.10.1-1.12 as a component of openSUSE Tumbleweed mspack-examples-0.10.1-1.12 as a component of openSUSE Tumbleweed The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file. CVE-2017-11423 openSUSE Tumbleweed:libmspack-devel-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-32bit-0.10.1-1.12 openSUSE Tumbleweed:mspack-examples-0.10.1-1.12 moderate 1.7 AV:L/AC:L/Au:S/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-11423.html CVE-2017-11423 https://bugzilla.suse.com/1049423 SUSE Bug 1049423 https://bugzilla.suse.com/1083915 SUSE Bug 1083915 mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. CVE-2017-6419 openSUSE Tumbleweed:libmspack-devel-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-32bit-0.10.1-1.12 openSUSE Tumbleweed:mspack-examples-0.10.1-1.12 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-6419.html CVE-2017-6419 https://bugzilla.suse.com/1052449 SUSE Bug 1052449 https://bugzilla.suse.com/1083915 SUSE Bug 1083915 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash). CVE-2018-14679 openSUSE Tumbleweed:libmspack-devel-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-32bit-0.10.1-1.12 openSUSE Tumbleweed:mspack-examples-0.10.1-1.12 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14679.html CVE-2018-14679 https://bugzilla.suse.com/1102922 SUSE Bug 1102922 https://bugzilla.suse.com/1103032 SUSE Bug 1103032 https://bugzilla.suse.com/1103040 SUSE Bug 1103040 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames. CVE-2018-14680 openSUSE Tumbleweed:libmspack-devel-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-32bit-0.10.1-1.12 openSUSE Tumbleweed:mspack-examples-0.10.1-1.12 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14680.html CVE-2018-14680 https://bugzilla.suse.com/1102922 SUSE Bug 1102922 https://bugzilla.suse.com/1103032 SUSE Bug 1103032 https://bugzilla.suse.com/1103040 SUSE Bug 1103040 An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite. CVE-2018-14681 openSUSE Tumbleweed:libmspack-devel-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-32bit-0.10.1-1.12 openSUSE Tumbleweed:mspack-examples-0.10.1-1.12 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14681.html CVE-2018-14681 https://bugzilla.suse.com/1102922 SUSE Bug 1102922 https://bugzilla.suse.com/1103032 SUSE Bug 1103032 https://bugzilla.suse.com/1103040 SUSE Bug 1103040 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. CVE-2018-14682 openSUSE Tumbleweed:libmspack-devel-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-0.10.1-1.12 openSUSE Tumbleweed:libmspack0-32bit-0.10.1-1.12 openSUSE Tumbleweed:mspack-examples-0.10.1-1.12 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14682.html CVE-2018-14682 https://bugzilla.suse.com/1102922 SUSE Bug 1102922 https://bugzilla.suse.com/1103032 SUSE Bug 1103032 https://bugzilla.suse.com/1103040 SUSE Bug 1103040