Versions of gcab <= 7.4 are vulnerable to a stack-based buffer overflow when extracting maliciously constructed .cab files. An attacker could potentially exploit this to execute arbitrary code. Original bug: https://bugzilla.redhat.com/show_bug.cgi?id=1527062
Upstream would like to make a new release before the holidays, but obviously would like to include the fix with the new tarball. Can we get some guidance on what we should do? Thanks.
Created gcab tracking bugs for this issue: Affects: fedora-all [bug 1528141]
Hi Sam Fowler, hi Richard, Would it be possible to open up the original bug report? This has restricted access and there is no reference to either upstream commit fixing the issue or an upstream bug. Is this bug about https://git.gnome.org/browse/gcab/commit/?id=c512f6ff0c82a1139b36db2b28f93edc01c74b4b ? Regards, Salvatore
FTR: https://git.gnome.org/browse/gcab/commit/?id=bd2abee5f0a9b5cbe3a1ab1f338c4fb8f6ca797b
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0350 https://access.redhat.com/errata/RHSA-2018:0350