ESB-2018.2246 - [Debian] libmspack: Multiple vulnerabilities 2018-08-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2246
                         libmspack security update
                               3 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libmspack
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-14682 CVE-2018-14681 CVE-2018-14680
                   CVE-2018-14679  

Reference:         ESB-2018.2245

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4260

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4260-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 02, 2018                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libmspack
CVE ID         : CVE-2018-14679 CVE-2018-14680 CVE-2018-14681 CVE-2018-14682
Debian Bug     : 904799 904800 904801 904802

Several vulnerabilities were discovered in libsmpack, a library used to
handle Microsoft compression formats. A remote attacker could craft
malicious CAB, CHM or KWAJ files and use these flaws to cause a denial
of service via application crash, or potentially execute arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 0.5-1+deb9u2.

We recommend that you upgrade your libmspack packages.

For the detailed security status of libmspack please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libmspack

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltjchxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SH7w//aMohH/3ymPCXrXB3RR+NmXpAFeVWO6EbKW2g3J/YEZAWe/nssupxK6Ws
3s8eHYhFxbffpzonkyVQ7E8nfBtp3osUmd9Ir+T2ftzpuSfsCWYFhERpep8c5eAP
4l43UOB118A3fWmVc6i/44/gc0XCRVfWF/SfEofx20x4CQSCliuTHRrQVqudFkgF
SsqVwbcpKhiMvUH9eq8Csi0LRywLdz7rX6dEKJ131bxcUmPIP02/wwmHDJQcjbg/
EEyCVbEYYIrIJiUh58OF/OmBFTT1im6rCYmfeyrPiotacSBT5K1dorjvnUytFuO/
Yf/2I1tSEb325hoqx+958pGj0Y+4ubjIpRuvhV/rM4r9kKmQbW344dft2FTqKOp/
a6K+LuaobcqXf9qZC1E/EytJuZNl57pdRAiOTVt3szNSfT3WCHrLWf6ZwF6PwTII
HKmfvNPrmfSJI7KEKpmra9FW21jwAcYJL6Xt6LWPKoPVR52rJv1WMd84edsg2mGI
J0P62TOKv3ZaJvpBrQ+bkuFoBrQE10RN43iAzOWVqBnw1LxMqq2WOnxHpcYduOBr
VduZWPiA8sN9Ee1WrVUn/ct81yie9RxJ21SZZEnoFR3wpMqBsIzeNsB9ISMVtalv
TeCi0ZETyCgdFPs7jEIA8F2q0Gg9DgXtcjnc4aIkOSA5IOj0G1w=
=fFmf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW2OlQWaOgq3Tt24GAQjQJxAAtknNjzBxfj71dCimS7ZONtVvlrE16i2c
OEBXrNUJPOGijxAeFagq5EkZRqZzZ9dp+1DO4sY86ZLUSWXNmN/Xu/6jnKdWv4Uv
q17RHQkRkh7/XwccUwr7MMsEacogQNbqiE9ZFjbXxuCtZhCTVjDWUPflaQqz8qw6
HVQrAEmyJ3h/sePC31XGmGbOPWbLfP4dwbulUKzhld7SST1UJeAlecvk88XotpUc
Ty8HdOQbBQtS//xeFb5KpVuGO4dyVSUGRZNmhgRLHff0QsVnvvmGulFeh81fMyfL
pvnxoOnjde5Z9phr2/L1hA2kST/MYxCPBo0wDSHDH9OtFIvBKaoJhMoEsPykBpkY
P+e0D5rLTl2q4P3T+BSzOWFQRAoG6TqVNfyt7Htldb6Sx+p5uDHLhoLc01sdHb5R
tDGQ1MogwRQXleGobjBuqiLQcQoOezFP7M41EOkbWj4t+jTuxsgEIg0AXqGK4lql
uRnQ+6zteIdOOrwqpaKTTK/iIxqQQHWzzJlZn+Nt7/WJcUx3QBZTwDrGhD/zN013
4YuVsVdytNwiduZFSRE2z0GM7zPGSpP6regKdikcO5FAfPocnpBgEBc0pIWWvrXm
/RPaImeUrXvMV0wh3cjcz5j8iXUZQfA4p+/T9sBvtF6CQZq8gf3qIG70y0mZL4U7
IcOsUcbPdpU=
=45xW
-----END PGP SIGNATURE-----

« Back to bulletins