Security update for libmspack SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1200-1 Final 1 1 2021-08-25T22:06:02Z current 2021-08-25T22:06:02Z 2021-08-25T22:06:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libmspack This update for libmspack fixes the following issues: - CVE-2018-14681: Bad KWAJ file header extensions could cause a one or two byte overwrite. (bsc#1103032) - CVE-2018-14682: There is an off-by-one error in the TOLOWER() macro for CHM decompression. (bsc#1103032) - CVE-2018-14679: There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service. (bsc#1103032) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1200 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CB3MRNYWFKRQUSWOFW43J2YAPXGFTDWP/ E-Mail link for openSUSE-SU-2021:1200-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1103032 SUSE Bug 1103032 https://www.suse.com/security/cve/CVE-2018-14679/ SUSE CVE CVE-2018-14679 page https://www.suse.com/security/cve/CVE-2018-14681/ SUSE CVE CVE-2018-14681 page https://www.suse.com/security/cve/CVE-2018-14682/ SUSE CVE CVE-2018-14682 page openSUSE Leap 15.2 libmspack-devel-0.6-lp152.6.3.1 libmspack0-0.6-lp152.6.3.1 libmspack0-32bit-0.6-lp152.6.3.1 mspack-tools-0.6-lp152.6.3.1 libmspack-devel-0.6-lp152.6.3.1 as a component of openSUSE Leap 15.2 libmspack0-0.6-lp152.6.3.1 as a component of openSUSE Leap 15.2 libmspack0-32bit-0.6-lp152.6.3.1 as a component of openSUSE Leap 15.2 mspack-tools-0.6-lp152.6.3.1 as a component of openSUSE Leap 15.2 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash). CVE-2018-14679 openSUSE Leap 15.2:libmspack-devel-0.6-lp152.6.3.1 openSUSE Leap 15.2:libmspack0-0.6-lp152.6.3.1 openSUSE Leap 15.2:libmspack0-32bit-0.6-lp152.6.3.1 openSUSE Leap 15.2:mspack-tools-0.6-lp152.6.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CB3MRNYWFKRQUSWOFW43J2YAPXGFTDWP/ https://www.suse.com/security/cve/CVE-2018-14679.html CVE-2018-14679 https://bugzilla.suse.com/1102922 SUSE Bug 1102922 https://bugzilla.suse.com/1103032 SUSE Bug 1103032 https://bugzilla.suse.com/1103040 SUSE Bug 1103040 An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite. CVE-2018-14681 openSUSE Leap 15.2:libmspack-devel-0.6-lp152.6.3.1 openSUSE Leap 15.2:libmspack0-0.6-lp152.6.3.1 openSUSE Leap 15.2:libmspack0-32bit-0.6-lp152.6.3.1 openSUSE Leap 15.2:mspack-tools-0.6-lp152.6.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CB3MRNYWFKRQUSWOFW43J2YAPXGFTDWP/ https://www.suse.com/security/cve/CVE-2018-14681.html CVE-2018-14681 https://bugzilla.suse.com/1102922 SUSE Bug 1102922 https://bugzilla.suse.com/1103032 SUSE Bug 1103032 https://bugzilla.suse.com/1103040 SUSE Bug 1103040 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. CVE-2018-14682 openSUSE Leap 15.2:libmspack-devel-0.6-lp152.6.3.1 openSUSE Leap 15.2:libmspack0-0.6-lp152.6.3.1 openSUSE Leap 15.2:libmspack0-32bit-0.6-lp152.6.3.1 openSUSE Leap 15.2:mspack-tools-0.6-lp152.6.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CB3MRNYWFKRQUSWOFW43J2YAPXGFTDWP/ https://www.suse.com/security/cve/CVE-2018-14682.html CVE-2018-14682 https://bugzilla.suse.com/1102922 SUSE Bug 1102922 https://bugzilla.suse.com/1103032 SUSE Bug 1103032 https://bugzilla.suse.com/1103040 SUSE Bug 1103040