Versions of gcab <= 7.4 are vulnerable to a stack-based buffer overflow when extracting maliciously constructed .cab files. An attacker could potentially exploit this to execute arbitrary code.
Upstream would like to make a new release before the holidays, but obviously would like to include the fix with the new tarball. Can we get some guidance on what we should do? Thanks.
Created gcab tracking bugs for this issue:
Affects: fedora-all [bug 1528141]
Hi Sam Fowler, hi Richard,
Would it be possible to open up the original bug report? This has restricted access and there is no reference to either upstream commit fixing the issue or an upstream bug.
Is this bug about https://git.gnome.org/browse/gcab/commit/?id=c512f6ff0c82a1139b36db2b28f93edc01c74b4b ?
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:0350 https://access.redhat.com/errata/RHSA-2018:0350