Bug 934526 - (CVE-2015-4468) VUL-1: CVE-2015-4468,CVE-2015-4469: cabextract,libmspack: libmspack: pointer arithmetic overflow during CHM decompression
(CVE-2015-4468)
VUL-1: CVE-2015-4468,CVE-2015-4469: cabextract,libmspack: libmspack: pointer ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/117581/
CVSSv2:NVD:CVE-2015-4468:4.3:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-12 09:24 UTC by Andreas Stieger
Modified: 2020-09-23 15:48 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-06-12 09:24:25 UTC
The chmd_read_headers function in chmd.c in libmspack before 0.5 does not
validate name lengths, which allows remote attackers to cause a denial of
service (buffer over-read and application crash) via a crafted CHM file.



> CHM decompression: pointer arithmetic overflow
>  - https://bugs.debian.org/774726

Relative to the
http://anonscm.debian.org/cgit/collab-maint/libmspack.git/commit/?id=a25bb144795e526748b57884daf365732c7e2295
commit, use CVE-2015-4468 for the issues resolved by
fix-pointer-arithmetic-overflow.patch and use CVE-2015-4469 for the
issue resolved by fix-name-field-boundaries.patch. (Note that these
were originally combined within the diff included in the
https://bugs.debian.org/774726#3 message.) The
fix-name-field-boundaries.patch is about missing input validation and
can't have the same CVE ID as the two cases where the only change was
from a "p + name_len > end" test to a "name_len > end - p" test.



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1180177
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4469
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4468
http://seclists.org/oss-sec/2015/q2/691
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774726
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774726#3
http://anonscm.debian.org/cgit/collab-maint/libmspack.git/diff/debian/patches/fix-pointer-arithmetic-overflow.patch?id=a25bb144795e526748b57884daf365732c7e2295
http://anonscm.debian.org/cgit/collab-maint/libmspack.git/commit/?id=a25bb144795e526748b57884daf365732c7e2295
http://anonscm.debian.org/cgit/collab-maint/libmspack.git/diff/debian/patches/fix-name-field-boundaries.patch?id=a25bb144795e526748b57884daf365732c7e2295

For SLE 11, this needs to be fixed libmspack and cabextract.
For SLE 12, cabextract builds --with-external-libmspack, so only libmspack needs to be fixed.
Comment 1 Swamp Workflow Management 2015-06-12 09:40:51 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-07-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61986
Comment 2 Swamp Workflow Management 2015-06-12 22:02:23 UTC
bugbot adjusting priority
Comment 3 Stanislav Brabec 2015-06-15 18:14:56 UTC
Taking fix-name-field-boundaries.patch and ix-pointer-arithmetic-overflow.patch from Debian.
Comment 4 Stanislav Brabec 2015-06-15 19:28:19 UTC
Upstream merged both these fixes into one commit and added explicit retyping:
https://github.com/kyz/libmspack/commit/5692b75a21bf71dd86ac84bcfeb9ce8c0830658e

Maybe it makes sense to take this patch.
Comment 6 Stanislav Brabec 2015-06-16 18:40:17 UTC
I worked on backporting to SLE11 today, and it seems that the fix from fix-pointer-arithmetic-overflow.patch does not affect SLE11 libmspack. fix-name-field-boundaries.patch does.

The code was significantly different, and needed rewrite.

Note that the check was not even incorrectly written, but it was completely missing there.

https://build.suse.de/project/show/home:sbrabec:branches:libmspack-security-sle11
Comment 7 Stanislav Brabec 2015-06-16 19:09:56 UTC
Done.

https://build.suse.de/project/show/home:sbrabec:branches:libmspack-security-sle11
libmspack: https://build.suse.de/request/show/60558
cabextract: not affected CHM decompression is not implemented
Comment 13 Swamp Workflow Management 2015-12-07 17:12:04 UTC
SUSE-SU-2015:2215-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 934524,934525,934526,934527,934528,934529
CVE References: CVE-2014-9732,CVE-2015-4467,CVE-2015-4469,CVE-2015-4470,CVE-2015-4471,CVE-2015-4472
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Server 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Server 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
Comment 14 Swamp Workflow Management 2016-01-04 13:13:23 UTC
SUSE-SU-2016:0011-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 934524,934525,934526,934527,934528,934529
CVE References: CVE-2014-9732,CVE-2015-4467,CVE-2015-4468,CVE-2015-4469,CVE-2015-4470,CVE-2015-4471,CVE-2015-4472
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libmspack-0.4-14.4
SUSE Linux Enterprise Software Development Kit 12 (src):    libmspack-0.4-14.4
SUSE Linux Enterprise Server 12-SP1 (src):    libmspack-0.4-14.4
SUSE Linux Enterprise Server 12 (src):    libmspack-0.4-14.4
SUSE Linux Enterprise Desktop 12-SP1 (src):    libmspack-0.4-14.4
SUSE Linux Enterprise Desktop 12 (src):    libmspack-0.4-14.4
Comment 15 Wolfgang Frisch 2020-09-23 15:48:51 UTC
Released.