Bug 1472776 (CVE-2017-11423)

Summary: CVE-2017-11423 libmspack, clamav: Stack-based buffer over-read in cabd_read_string function
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dan, gbcox, janfrode, j, ondrejj, orion, redhat-bugzilla, rhbugs, rjones, sergio, steve, tis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-26 05:45:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1472777, 1472778, 1483999, 1484000    
Bug Blocks:    

Description Adam Mariš 2017-07-19 11:45:58 UTC 
The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha,
as used in ClamAV 0.99.2 and other products, allows remote attackers to
cause a denial of service (stack-based buffer over-read and application
crash) via a crafted CAB file.

Reference:

https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul

Upstream bug:

https://bugzilla.clamav.net/show_bug.cgi?id=11873
Comment 1 Adam Mariš 2017-07-19 11:46:28 UTC 
Created clamav tracking bugs for this issue:

Affects: epel-all [bug 1472777]
Affects: fedora-all [bug 1472778]
Comment 2 Sergio Basto 2017-07-19 11:50:12 UTC 
Adam Mariš , can I sergio have permission to look  at 
https://bugzilla.clamav.net/show_bug.cgi?id=11873 ? 

Thanks
Comment 3 Adam Mariš 2017-08-22 11:18:05 UTC 
(In reply to Sergio Monteiro Basto from comment #2)
> Adam Mariš , can I sergio have permission to look  at 
> https://bugzilla.clamav.net/show_bug.cgi?id=11873 ? 
> 
> Thanks

Sorry, I can't help you with that. Neither do I have access there.
Comment 4 Adam Mariš 2017-08-22 12:46:01 UTC 
Created libmspack tracking bugs for this issue:

Affects: fedora-all [bug 1483999]
Comment 5 Adam Mariš 2017-08-22 12:48:03 UTC 
Created libmspack tracking bugs for this issue:

Affects: epel-all [bug 1484000]
Comment 6 Tuomo Soini 2017-09-20 17:21:25 UTC 
Adam, rhel7 tracking bug is still missing?
Comment 7 Sergio Basto 2018-01-11 04:03:23 UTC 
clamav source , clean and not clean does not contain any cabd_read_string function neither libclamav/libmspack.c only libclamav/mspack.c [2], i.e those function only available on version 0.99.3 [3] 
anyway maybe also applicable to libmspack itself [1] 


[1]
https://apps.fedoraproject.org/packages/libmspack

[2]
https://github.com/vrtadmin/clamav-devel/blob/0.99.2/libclamav/mspack.c

[3]
https://github.com/vrtadmin/clamav-devel/tree/0.99.3/libclamav