libmspack-devel-0.11-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13619 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libmspack-devel-0.11-2.1 on GA media These are all security issues fixed in the libmspack-devel-0.11-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13619 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13619 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-18584/ SUSE CVE CVE-2018-18584 page https://www.suse.com/security/cve/CVE-2018-18585/ SUSE CVE CVE-2018-18585 page https://www.suse.com/security/cve/CVE-2018-18586/ SUSE CVE CVE-2018-18586 page https://www.suse.com/security/cve/CVE-2019-1010305/ SUSE CVE CVE-2019-1010305 page openSUSE Tumbleweed libmspack-devel-0.11-2.1 libmspack0-0.11-2.1 libmspack0-32bit-0.11-2.1 mspack-examples-0.11-2.1 libmspack-devel-0.11-2.1 as a component of openSUSE Tumbleweed libmspack0-0.11-2.1 as a component of openSUSE Tumbleweed libmspack0-32bit-0.11-2.1 as a component of openSUSE Tumbleweed mspack-examples-0.11-2.1 as a component of openSUSE Tumbleweed In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write. CVE-2018-18584 openSUSE Tumbleweed:libmspack-devel-0.11-2.1 openSUSE Tumbleweed:libmspack0-0.11-2.1 openSUSE Tumbleweed:libmspack0-32bit-0.11-2.1 openSUSE Tumbleweed:mspack-examples-0.11-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18584.html CVE-2018-18584 https://bugzilla.suse.com/1113038 SUSE Bug 1113038 https://bugzilla.suse.com/1113039 SUSE Bug 1113039 chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has '\0' as its first or second character (such as the "/\0" name). CVE-2018-18585 openSUSE Tumbleweed:libmspack-devel-0.11-2.1 openSUSE Tumbleweed:libmspack0-0.11-2.1 openSUSE Tumbleweed:libmspack0-32bit-0.11-2.1 openSUSE Tumbleweed:mspack-examples-0.11-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18585.html CVE-2018-18585 https://bugzilla.suse.com/1113038 SUSE Bug 1113038 https://bugzilla.suse.com/1113039 SUSE Bug 1113039 ** DISPUTED ** chmextract.c in the chmextract sample program, as distributed with libmspack before 0.8alpha, does not protect against absolute/relative pathnames in CHM files, leading to Directory Traversal. NOTE: the vendor disputes that this is a libmspack vulnerability, because chmextract.c was only intended as a source-code example, not a supported application. CVE-2018-18586 openSUSE Tumbleweed:libmspack-devel-0.11-2.1 openSUSE Tumbleweed:libmspack0-0.11-2.1 openSUSE Tumbleweed:libmspack0-32bit-0.11-2.1 openSUSE Tumbleweed:mspack-examples-0.11-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-18586.html CVE-2018-18586 https://bugzilla.suse.com/1113038 SUSE Bug 1113038 https://bugzilla.suse.com/1113039 SUSE Bug 1113039 https://bugzilla.suse.com/1113040 SUSE Bug 1113040 libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. CVE-2019-1010305 openSUSE Tumbleweed:libmspack-devel-0.11-2.1 openSUSE Tumbleweed:libmspack0-0.11-2.1 openSUSE Tumbleweed:libmspack0-32bit-0.11-2.1 openSUSE Tumbleweed:mspack-examples-0.11-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1010305.html CVE-2019-1010305 https://bugzilla.suse.com/1141680 SUSE Bug 1141680