CVE-2018-18584

Priority
Description
In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the
CAB block input buffer is one byte too small for the maximal Quantum block,
leading to an out-of-bounds write.
Notes
 amurray> We released clamav 0.100.2+dfsg-1ubuntu0.1X.04.2 for precise/esm
 amurray> and trusty, but subsequently were notified the bundled libmspack is
 amurray> not actually vulnerable in this case, as the version of libmspack
 amurray> provided had increased the CAB_BLOCKMAX macro to 65535, meaning that
 amurray> CAB_INPUTMAX is now 71679, which is impossible to encode in the
 amurray> 16-bit cfdata_CompressedSize field of a single block.
Assigned-to
amurray
Package
Upstream:released (1.4-5)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system libmspack)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (uses system libmspack)
Ubuntu 19.04 (Disco Dingo):not-affected (uses system libmspack)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (0.100.2+dfsg-1ubuntu0.12.04.2)
Ubuntu 14.04 LTS (Trusty Tahr):released (0.100.2+dfsg-1ubuntu0.14.04.2)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system libmspack)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system libmspack)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (uses system libmspack)
Ubuntu 19.04 (Disco Dingo):not-affected (uses system libmspack)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):released (0.5-1ubuntu0.16.04.3)
Ubuntu 18.04 LTS (Bionic Beaver):released (0.6-3ubuntu0.2)
Ubuntu 18.10 (Cosmic Cuttlefish):released (0.7-1ubuntu0.1)
Ubuntu 19.04 (Disco Dingo):needed
Patches:
Upstream:https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2
More Information

Updated: 2018-11-21 03:14:16 UTC (commit 209478ef8b6d55c1efb7c0664fa69f44d242350b)