Hello,
I have no more infomation than you do. If you can find out who raised
the issue, please ask them to send me the example of the crafted file,
The bug says "stack-based buffer over-read and application crash" - the
file
https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul/stack-overflow
doesn't show an application crash, it shows only the stack-based buffer
over-read of 1 byte.
I've know about that one-byte buffer over-read, I fixed it in 2015, and
I haven't yet got around to making a release of libmspack with this fix,
because I didn't consider it a vulnerability at the time and still don't
consider it one now.
https://github.com/kyz/libmspack/commit/3e3436af6010ac245d7a390c6798e2b81ce09191
2015-05-10 Stuart Caie <ky...@4u.net>
* cabd_read_string(): correct rejection of empty strings. Thanks to
Hanno Böck for finding the issue and providing a sample file.
I had a philosophical discussion with Hanno Böck about it, I wasn't
persuaded that it's a real vulnerability. If you craft a CAB file with
an empty CAB string, one byte will be overread. You can't make it
over-read an arbitrary number of bytes, just the empty string -> 1 byte
overread.
This report says "and application crash" -- I still have no evidence
this is true (unless you've instrumented your code to monitor all
overreads and deliberately crash yourself when you see one). If you want
me to release libmspack to address a CVE created for a
non-vulnerability, please let me know.
Regards
Stuart
On 23/07/17 16:17, Marc Dequènes (duck) wrote:
Quack,
I added libmspack's upstream author in case he could give a hand.
Here is the bugreport:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868956
On 2017-07-20 05:15, Salvatore Bonaccorso wrote:
Unfortunately the upstream bug [1] is locked-down.
Thanks for reporting it. Unfortunately I don't see how I can solve
this problem. If all information are hidden on a related but not
upstream bug tracker (which really should have one), if there's no
patch or new release either, then I'm honestly at a loss.
If I happen to create an account on the ClamAV's bug tracker, would
you be able to give me access?
Regards.
\_o<