CVE-2017-6419

Priority
Medium
Description
mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows
remote attackers to cause a denial of service (heap-based buffer overflow
and application crash) or possibly have unspecified other impact via a
crafted CHM file.
References
Bugs
Notes
 mdeslaur> clamav in xenial+ uses the system libmspack, trusty uses
 mdeslaur> the embedded one.
Package
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):not-affected (uses system libmspack)
Ubuntu 12.04 ESM (Precise Pangolin):released (0.99.2+addedllvm-0ubuntu0.12.04.2)
Ubuntu 14.04 LTS (Trusty Tahr):released (0.99.2+addedllvm-0ubuntu0.14.04.2)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system libmspack)
Ubuntu 17.04 (Zesty Zapus):not-affected (uses system libmspack)
Patches:
Upstream:https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1
Package
Upstream:released (0.6-1)
Ubuntu 17.10 (Artful Aardvark):not-affected (0.6-3)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (0.5-1ubuntu0.16.04.1)
Ubuntu 17.04 (Zesty Zapus):released (0.5-1ubuntu0.17.04.1)
Patches:
Upstream:https://github.com/kyz/libmspack/commit/6139a0b9e93fcb7fcf423e56aa825bc869e02229
More Information

Updated: 2017-08-17 20:14:13 UTC (commit 13126)