It was reported [1] that a binary using libmspack will hang when processing a crafted .CAB file. Upstream patch that fixes this: http://anonscm.debian.org/cgit/collab-maint/libmspack.git/tree/debian/patches/qtmd-fix-frame_end-overflow.patch CVE requested at: http://seclists.org/oss-sec/2015/q1/4 [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773041
(In reply to Vasyl Kaigorodov from comment #0) > It was reported [1] that a binary using libmspack will hang when processing > a crafted .CAB file. > Upstream patch that fixes this: > http://anonscm.debian.org/cgit/collab-maint/libmspack.git/tree/debian/ > patches/qtmd-fix-frame_end-overflow.patch it is a local Debian patch, not upstream. Is upstream aware of the problem?
This was assigned CVE-2014-9556: http://seclists.org/oss-sec/2015/q1/85
Created libmspack tracking bugs for this issue: Affects: fedora-all [bug 1179822] Affects: epel-all [bug 1179823]
(In reply to Dan Horák from comment #1) > (In reply to Vasyl Kaigorodov from comment #0) > > It was reported [1] that a binary using libmspack will hang when processing > > a crafted .CAB file. > > Upstream patch that fixes this: > > http://anonscm.debian.org/cgit/collab-maint/libmspack.git/tree/debian/ > > patches/qtmd-fix-frame_end-overflow.patch > > it is a local Debian patch, not upstream. Is upstream aware of the problem? Unknown; this was reported to oss-sec by Debian. Looking at their bug report it seems that upstream clamav is aware, but I can't tell if they've let upstream libmspack know about it.
libmspack-0.5-0.1.alpha.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
libmspack-0.5-0.1.alpha.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libmspack-0.5-0.1.alpha.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
libmspack-0.5-0.1.alpha.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
libmspack-0.5-0.1.alpha.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.