Vulnerabilities > CVE-2018-18584 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH network
low complexity
libmspack-project
cabextract-project
debian
redhat
canonical
suse
starwindsoftware
CWE-787
nessus
Summary
In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2261.NASL description According to the version of the libmspack package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write.(CVE-2018-18584) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-11-08 plugin id 130723 published 2019-11-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130723 title EulerOS 2.0 SP3 : libmspack (EulerOS-SA-2019-2261) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(130723); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2018-18584" ); script_name(english:"EulerOS 2.0 SP3 : libmspack (EulerOS-SA-2019-2261)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the libmspack package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write.(CVE-2018-18584) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2261 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2759fd40"); script_set_attribute(attribute:"solution", value: "Update the affected libmspack package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libmspack"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["libmspack-0.5-0.5.alpha.h3"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmspack"); }NASL family Fedora Local Security Checks NASL id FEDORA_2018-A5953AF115.NASL description Latest stable releases of libmspack and cabextract, includes security fixes for CVE-2018-14680, CVE-2018-14681, CVE-2018-14682, CVE-2018-18584, CVE-2018-18585 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120675 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120675 title Fedora 29 : cabextract / libmspack (2018-a5953af115) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2018-a5953af115. # include("compat.inc"); if (description) { script_id(120675); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-14680", "CVE-2018-14681", "CVE-2018-14682", "CVE-2018-18584", "CVE-2018-18585"); script_xref(name:"FEDORA", value:"2018-a5953af115"); script_name(english:"Fedora 29 : cabextract / libmspack (2018-a5953af115)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Latest stable releases of libmspack and cabextract, includes security fixes for CVE-2018-14680, CVE-2018-14681, CVE-2018-14682, CVE-2018-18584, CVE-2018-18585 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5953af115" ); script_set_attribute( attribute:"solution", value:"Update the affected cabextract and / or libmspack packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:cabextract"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libmspack"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:29"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^29([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 29", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC29", reference:"cabextract-1.9-1.fc29")) flag++; if (rpm_check(release:"FC29", reference:"libmspack-0.9.1-0.1.alpha.fc29")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cabextract / libmspack"); }NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0237_LIBMSPACK.NASL description The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has libmspack packages installed that are affected by multiple vulnerabilities: - In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (CVE-2018-18584) - chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has last seen 2020-06-01 modified 2020-06-02 plugin id 132502 published 2019-12-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132502 title NewStart CGSL CORE 5.05 / MAIN 5.05 : libmspack Multiple Vulnerabilities (NS-SA-2019-0237) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from ZTE advisory NS-SA-2019-0237. The text # itself is copyright (C) ZTE, Inc. include('compat.inc'); if (description) { script_id(132502); script_version("1.2"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2018-18584", "CVE-2018-18585"); script_name(english:"NewStart CGSL CORE 5.05 / MAIN 5.05 : libmspack Multiple Vulnerabilities (NS-SA-2019-0237)"); script_set_attribute(attribute:"synopsis", value: "The remote machine is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has libmspack packages installed that are affected by multiple vulnerabilities: - In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (CVE-2018-18584) - chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has '\0' as its first or second character (such as the /\0 name). (CVE-2018-18585) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0237"); script_set_attribute(attribute:"solution", value: "Upgrade the vulnerable CGSL libmspack packages. Note that updated packages may not be available yet. Please contact ZTE for more information."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-18585"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"NewStart CGSL Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/ZTE-CGSL/release"); if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux"); if (release !~ "CGSL CORE 5.05" && release !~ "CGSL MAIN 5.05") audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05'); if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu); flag = 0; pkgs = { "CGSL CORE 5.05": [ "libmspack-0.5-0.7.alpha.el7", "libmspack-debuginfo-0.5-0.7.alpha.el7", "libmspack-devel-0.5-0.7.alpha.el7" ], "CGSL MAIN 5.05": [ "libmspack-0.5-0.7.alpha.el7", "libmspack-debuginfo-0.5-0.7.alpha.el7", "libmspack-devel-0.5-0.7.alpha.el7" ] }; pkg_list = pkgs[release]; foreach (pkg in pkg_list) if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmspack"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-2049.NASL description An update for libmspack is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libmspack packages contain a library providing compression and extraction of the Cabinet (CAB) file format used by Microsoft. Security Fix(es) : * libmspack: Out-of-bounds write in mspack/cab.h (CVE-2018-18584) * libmspack: chmd_read_headers() fails to reject filenames containing NULL bytes (CVE-2018-18585) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 127659 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127659 title RHEL 7 : libmspack (RHSA-2019:2049) NASL family Fedora Local Security Checks NASL id FEDORA_2018-CB337FB199.NASL description Latest stable releases of libmspack and cabextract, includes security fixes for CVE-2018-14680, CVE-2018-14681, CVE-2018-14682, CVE-2018-18584, CVE-2018-18585 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120791 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120791 title Fedora 28 : cabextract / libmspack (2018-cb337fb199) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1329.NASL description This update for libmspack fixes the following issues : Security issues fixed : - CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038) - CVE-2018-18585: chmd_read_headers accepted a filename that has last seen 2020-06-05 modified 2018-10-31 plugin id 118561 published 2018-10-31 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118561 title openSUSE Security Update : libmspack (openSUSE-2018-1329) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0748-1.NASL description This update for libmspack fixes the following issues : Security issues fixed : CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038) CVE-2018-18585: chmd_read_headers accepted a filename that has last seen 2020-06-01 modified 2020-06-02 plugin id 123412 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123412 title SUSE SLED15 / SLES15 Security Update : libmspack (SUSE-SU-2019:0748-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201903-20.NASL description The remote host is affected by the vulnerability described in GLSA-201903-20 (cabextract, libmspack: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cabextract and libmspack. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE’s for details. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 123426 published 2019-03-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123426 title GLSA-201903-20 : cabextract, libmspack: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1555.NASL description CVE-2018-18584 Fixing the size of the CAB block input buffer, which is too small for the maximal Quantum block, prevents an out-of-bounds write. CVE-2018-18585 Blank filenames (having length zero or their 1st or 2nd byte is null) should be rejected. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 118468 published 2018-10-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118468 title Debian DLA-1555-1 : libmspack security update NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3814-1.NASL description It was discovered libmspack incorrectly handled certain malformed CAB files. A remote attacker could use this issue to cause libmspack to crash, resulting in a denial of service. (CVE-2018-18584, CVE-2018-18585). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 118904 published 2018-11-13 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118904 title Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : libmspack vulnerabilities (USN-3814-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1149.NASL description This update for libmspack fixes the following issues : Security issues fixed : - CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038) - CVE-2018-18585: chmd_read_headers accepted a filename that has last seen 2020-06-01 modified 2020-06-02 plugin id 123778 published 2019-04-05 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123778 title openSUSE Security Update : libmspack (openSUSE-2019-1149) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2019-2049.NASL description An update for libmspack is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libmspack packages contain a library providing compression and extraction of the Cabinet (CAB) file format used by Microsoft. Security Fix(es) : * libmspack: Out-of-bounds write in mspack/cab.h (CVE-2018-18584) * libmspack: chmd_read_headers() fails to reject filenames containing NULL bytes (CVE-2018-18585) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 128340 published 2019-08-30 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128340 title CentOS 7 : libmspack (CESA-2019:2049) NASL family Scientific Linux Local Security Checks NASL id SL_20190806_LIBMSPACK_ON_SL7_X.NASL description Security Fix(es) : - libmspack: Out-of-bounds write in mspack/cab.h (CVE-2018-18584) - libmspack: chmd_read_headers() fails to reject filenames containing NULL bytes (CVE-2018-18585) last seen 2020-03-18 modified 2019-08-27 plugin id 128232 published 2019-08-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128232 title Scientific Linux Security Update : libmspack on SL7.x x86_64 (20190806) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0217_LIBMSPACK.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libmspack packages installed that are affected by multiple vulnerabilities: - An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash). (CVE-2018-14679) - In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (CVE-2018-18584) - chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has last seen 2020-06-01 modified 2020-06-02 plugin id 131413 published 2019-12-02 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131413 title NewStart CGSL CORE 5.04 / MAIN 5.04 : libmspack Multiple Vulnerabilities (NS-SA-2019-0217) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3814-2.NASL description USN-3814-1 fixed several vulnerabilities in libmspack. In Ubuntu 14.04 libmspack is included into ClamAV. This update provides the corresponding update for Ubuntu 14.04 LTS. Original advisory details : It was discovered libmspack incorrectly handled certain malformed CAB files. A remote attacker could use this issue to cause libmspack to crash, resulting in a denial of service. (CVE-2018-18584, CVE-2018-18585). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 118905 published 2018-11-13 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118905 title Ubuntu 14.04 LTS : clamav vulnerabilities (USN-3814-2) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-13992-1.NASL description This update for libmspack fixes the following issues : Security issues fixed : CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038) CVE-2018-18585: chmd_read_headers accepted a filename that has last seen 2020-06-01 modified 2020-06-02 plugin id 123455 published 2019-03-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123455 title SUSE SLES11 Security Update : libmspack (SUSE-SU-2019:13992-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-C73D257297.NASL description Latest stable releases of libmspack and cabextract, includes security fixes for CVE-2018-14680, CVE-2018-14681, CVE-2018-14682, CVE-2018-18584, CVE-2018-18585 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-11-19 plugin id 119019 published 2018-11-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119019 title Fedora 27 : cabextract / libmspack (2018-c73d257297) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2019-1310.NASL description In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write.(CVE-2018-18584) chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has last seen 2020-06-01 modified 2020-06-02 plugin id 129792 published 2019-10-11 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129792 title Amazon Linux 2 : libmspack (ALAS-2019-1310)
Redhat
| advisories |
| ||||
| rpms |
|
References
- https://www.openwall.com/lists/oss-security/2018/10/22/1
- https://www.cabextract.org.uk/#changes
- https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2
- https://bugs.debian.org/911640
- https://lists.debian.org/debian-lts-announce/2018/10/msg00017.html
- https://usn.ubuntu.com/3814-2/
- https://usn.ubuntu.com/3814-1/
- https://usn.ubuntu.com/3814-3/
- https://security.gentoo.org/glsa/201903-20
- https://access.redhat.com/errata/RHSA-2019:2049
- https://www.starwindsoftware.com/security/sw-20181213-0001/