Bug 1113040 - (CVE-2018-18586) VUL-1: CVE-2018-18586: libmspack: chmextract.c add anti "../" and leading slash protection to chmextract
(CVE-2018-18586)
VUL-1: CVE-2018-18586: libmspack: chmextract.c add anti "../" and leading sla...
Status: REOPENED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/217870/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-24 07:15 UTC by Alexander Bergmann
Modified: 2022-10-27 17:20 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-10-24 07:15:07 UTC
CVE-2018-18586

FTR, three CVEs were assigned by MITRE, whereeas one is explicitly
marked as DISPUTED, because upstream makes clear in the changelog
entry, that the chmextract utility is more an example code how to use
the library rather than "productised" binaries. Still a CVE was
assigned for downstreams using it as such.

Upstream changelog:
2018-10-20  Stuart Caie <kyzer@cabextract.org.uk>
* src/chmextract.c: add anti "../" and leading slash protection to
chmextract. I'm not pleased about this. All the sample code provided
with libmspack is meant to be simple examples of library use, not
"productised" binaries. Making the "useful" code samples install
as binaries was a mistake. They were never intended to protect you
from unpacking archive files with relative/absolute paths, and I
would prefer that they never will be. 

Upstream fix:
https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d

References:
https://www.openwall.com/lists/oss-security/2018/10/23/11
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18586
Comment 1 Alexander Bergmann 2018-10-24 07:39:55 UTC
The chmextract tool part of the mspack-tools RPM, that is not shipped with SLE.

This problem only affects openSUSE code streams.
Comment 2 Swamp Workflow Management 2018-10-26 14:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (1113040) was mentioned in
https://build.opensuse.org/request/show/644862 15.0 / libmspack
Comment 3 Swamp Workflow Management 2018-10-29 09:40:13 UTC
This is an autogenerated message for OBS integration:
This bug (1113040) was mentioned in
https://build.opensuse.org/request/show/645188 15.0 / libmspack
https://build.opensuse.org/request/show/645191 42.3 / libmspack
Comment 4 Swamp Workflow Management 2018-10-30 11:13:53 UTC
openSUSE-SU-2018:3562-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1113038,1113039,1113040
CVE References: CVE-2018-18584,CVE-2018-18585,CVE-2018-18586
Sources used:
openSUSE Leap 42.3 (src):    libmspack-0.5-8.3.1
Comment 5 Alexandros Toptsoglou 2020-04-24 14:04:33 UTC
Leap 15.1 seems affected
Comment 7 Swamp Workflow Management 2022-01-13 17:17:09 UTC
SUSE-SU-2022:0069-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1113040
CVE References: CVE-2018-18586
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    libmspack-0.6-3.14.1
SUSE MicroOS 5.0 (src):    libmspack-0.6-3.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libmspack-0.6-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-01-13 17:24:52 UTC
openSUSE-SU-2022:0069-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1113040
CVE References: CVE-2018-18586
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libmspack-0.6-3.14.1
Comment 9 Swamp Workflow Management 2022-02-18 14:23:51 UTC
openSUSE-SU-2022:0069-2: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1113040
CVE References: CVE-2018-18586
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    libmspack-0.6-3.14.1
Comment 10 Swamp Workflow Management 2022-02-18 14:30:57 UTC
SUSE-SU-2022:0069-2: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1113040
CVE References: CVE-2018-18586
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    libmspack-0.6-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Stanislav Brabec 2022-03-21 01:21:52 UTC
Released.
Comment 12 Gianluca Gabrielli 2022-03-21 09:46:47 UTC
Hi Stanislav,

please never close security-related issue yourself, instead re-assign them back to security-team@suse.de.

I still see SUSE:SLE-12:Update/libmspack flagged as affected in our tracking tool, that should mean that a submission is missing. Please review.
Comment 13 David Anes 2022-10-27 17:20:23 UTC
Sent the fix to the missing  codestream here:
* SUSE:SLE-12:Update/libmspack: https://build.suse.de/request/show/283290

Thanks Gianluca for pointing out the missing codestream, assigning back to Security for review.