Bug#911637: marked as done (libmspack: CVE-2018-18585: Avoid returning CHM file entries that are "blank" because they have embedded null bytes)

Thu, 01 Nov 2018 12:58:22 -0700 

Your message dated Thu, 01 Nov 2018 19:56:18 +0000
with message-id <[email protected]>
and subject line Bug#911637: fixed in libmspack 0.5-1+deb9u3
has caused the Debian Bug report #911637,
regarding libmspack: CVE-2018-18585: Avoid returning CHM file entries that are 
"blank" because they have embedded null bytes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
911637: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911637
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: libmspack
Version: 0.5-1
Severity: important
Tags: patch security upstream
Control: found -1 0.5-1+deb9u2
Control: found -1 0.7-1

>From https://www.openwall.com/lists/oss-security/2018/10/22/1

> libmspack now also rejects blank CHM filenames that are blank because
> they have embedded null bytes, not just because they are zero-length

https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f

CVE not yet assigned for this issue.

Regards,
Salvatore



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Source: libmspack
Source-Version: 0.5-1+deb9u3

We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated libmspack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 26 Oct 2018 19:03:02 +0200
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source amd64 all
Version: 0.5-1+deb9u3
Distribution: stretch
Urgency: high
Maintainer: Marc Dequènes (Duck) <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Description:
 libmspack-dbg - library for Microsoft compression formats (debugging symbols)
 libmspack-dev - library for Microsoft compression formats (development files)
 libmspack-doc - library for Microsoft compression formats (documentation)
 libmspack0 - library for Microsoft compression formats (shared library)
Closes: 911637 911640
Changes:
 libmspack (0.5-1+deb9u3) stretch; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2018-18584 (Closes: #911640)
     Fixing the size of the CAB block input buffer, which is too small
     for the maximal Quantum block, prevents an out-of-bounds write.
   * CVE-2018-18585 (Closes: #911637)
     Blank filenames (having length zero or their 1st or 2nd byte is
     null) should be rejected.
Checksums-Sha1:
 6123d845d3d64a60c6695eb45ee9ad6a848164fc 2265 libmspack_0.5-1+deb9u3.dsc
 226f19b1fc58e820671a1749983b06896e108cc4 654193 libmspack_0.5.orig.tar.gz
 7797a99abb491f8f62de314e4902c689187eec08 8020 
libmspack_0.5-1+deb9u3.debian.tar.xz
 887d8421bdc25454f628686c1af98a4048dcd681 89308 
libmspack-dbg_0.5-1+deb9u3_amd64.deb
 c4ee410f8f4782543ea57e2a7819caaf724ab25f 64614 
libmspack-dev_0.5-1+deb9u3_amd64.deb
 d3d6e3ba6297f2a700b907981a43e14683861cee 101106 
libmspack-doc_0.5-1+deb9u3_all.deb
 d9b6525e1ba2d97bef78e6ca45282cf0cfc58e20 46316 
libmspack0_0.5-1+deb9u3_amd64.deb
 5060762c88b4eb9c8b08645b6c4fd920ed6c8826 6776 
libmspack_0.5-1+deb9u3_amd64.buildinfo
Checksums-Sha256:
 6c0360afe8783609ecd27a049e670bf6cda911e2a64a47498bc8d131844b70c7 2265 
libmspack_0.5-1+deb9u3.dsc
 8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110 654193 
libmspack_0.5.orig.tar.gz
 dd7f68e70b356f32e4a4a6efac7d40dafae69bb17b80018da90076c9cbfb82d3 8020 
libmspack_0.5-1+deb9u3.debian.tar.xz
 6936a7045056fcc3bca19adafbf642096d1ebe7f9c9f58e199818c1a2ad67bbe 89308 
libmspack-dbg_0.5-1+deb9u3_amd64.deb
 293d993d1404559d05efdc081db3a58ecabd5845cd2eebaf2a169d98129de00f 64614 
libmspack-dev_0.5-1+deb9u3_amd64.deb
 0a0c1252f1292df880296bfe8d6be6c1cd6a9c1c4d671b982b147b62e9d31561 101106 
libmspack-doc_0.5-1+deb9u3_all.deb
 4ccd429b6ac18541b87b1b6b667f4ac5ffbdb28622e2a705967eedf42f822936 46316 
libmspack0_0.5-1+deb9u3_amd64.deb
 8e51125ca0f37ea07a633eec4668460c612ceacd7c28fa3b6058dc3340560c4a 6776 
libmspack_0.5-1+deb9u3_amd64.buildinfo
Files:
 4817efaef272bf44fb04f2f8e046065d 2265 libs optional libmspack_0.5-1+deb9u3.dsc
 3aa3f6b9ef101463270c085478fda1da 654193 libs optional libmspack_0.5.orig.tar.gz
 4d29195ed633024179ce9cdad71c5dd8 8020 libs optional 
libmspack_0.5-1+deb9u3.debian.tar.xz
 5f5025e976ff3249f6d5a8e9639e1b15 89308 debug extra 
libmspack-dbg_0.5-1+deb9u3_amd64.deb
 93fa350b17c33ba25fd5bce9f5ff6ef3 64614 libdevel optional 
libmspack-dev_0.5-1+deb9u3_amd64.deb
 03f878972efa022e8a16e4a181739d96 101106 doc optional 
libmspack-doc_0.5-1+deb9u3_all.deb
 706d7b030e07e6d2786a60d14056da78 46316 libs optional 
libmspack0_0.5-1+deb9u3_amd64.deb
 3af8399f04cc951ae08fa09e208e1825 6776 libs optional 
libmspack_0.5-1+deb9u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlvXBn5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR2UzD/4ysjwhbublUNRkB9uEO+LtmHAjJQ5E
Nl1lubQQXkSMbHEKQi2T/Iw2uZdfp1Tzv6VeBFey6LrC+zbN2hT/TyZVytb62k5G
TkLCwKi40dlulFBBhXUQdpBhF6DlAQf3RuvJ5pG55jFr10o10AnfVM644SqZougZ
dzjv+QzatY6tFmGR0uvCHVZHZ5P2VHZx0amA2VMJErQH4Q4/ajyEGCpyJJpK16td
n0ubf0kcrzfP+vlWQkh1w+JfjMY7x3+F31EOAcVBvmT4ND6wyuQvU326lSuYB4Ek
7MoN9jp+EJgtti1kNorkg0KSVKYlO2eYvv5Y0U5acXK42BRnvTS0KzoSQzMt/iIB
g8a5qmDD2Ej10frpXm90QHaXBxVFziO9NS/FoS1SLIn/XWpjX1Qv7hqrRD4XjXkw
LeBEaSqFMdNtRzb1izIloTYoFTexk0T7Q5qQcWwWvJElyMaKwSAHirQKjAyPjR22
7ztQXou9s7dcVpIGNnr+JAmmukCPpe1EnPvXPnkxygUBtcHiUdjlFUsAvu4oi9F6
ByhDfVT8y7R4pvoHK+uJryHTOQt5pMq5SPzhBHSsFY323GDaFlpu97OA9stNlVxC
0jxKwp3D459gyl1taYXM3akx/dR44/ZeG2fVOXUuhhVbWkBsmqPHy+dS19LKLWvv
eWqtXvhHwv/FEQ==
=PLoE
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to