[Pkg-clamav-devel] Bug#868956: libmspack: CVE-2017-11423
Stuart Caie
kyzer at cabextract.org.uk
Sun Aug 6 09:22:11 UTC 2017
On 05/08/17 10:36, Stuart Caie wrote:
> libmspack is wrong to convert to unsigned without checking for errors first.
>
> When I get to my computer, I'll check all calls to mspack_system read/write/seek/tell methods, to be sure this doesn't happen anywhere else.
I checked all the other mspack_system calls, they're handled correctly.
Commited a fix:
https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38
I'll put out a release in the near future.
Before fix, allowing N reads before always failing in cabd_memory.c
sys->read():
Allow 3 reads -> mspack/cabd.c:528 (cabd_read_string) len=4294967295
Allow 4 reads -> mspack/cabd.c:528 (cabd_read_string) len=193
Allow 5 reads -> mspack/cabd.c:528 (cabd_read_string) len=193
mspack/cabd.c:528 (cabd_read_string) len=4294967295
Allow 6 reads -> mspack/cabd.c:528 (cabd_read_string) len=193
mspack/cabd.c:528 (cabd_read_string) len=169
After fix:
Allowing 3 reads -> error caught and no len printed
Allowing 4 reads -> mspack/cabd.c:531 (cabd_read_string) len=193
Allowing 5 reads -> mspack/cabd.c:531 (cabd_read_string) len=193, error
caught and no len printed
Allowing 6 reads -> mspack/cabd.c:531 (cabd_read_string) len=193
mspack/cabd.c:531 (cabd_read_string) len=169
Regards
Stuart
More information about the Pkg-clamav-devel
mailing list