** DISPUTED ** chmextract.c in the chmextract sample program, as distributed with libmspack before 0.8alpha, does not protect against absolute/relative pathnames in CHM files, leading to Directory Traversal. NOTE: the vendor disputes that this is a libmspack vulnerability, because chmextract.c was only intended as a source-code example, not a supported application. Upstream patch: https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d References: https://www.openwall.com/lists/oss-security/2018/10/22/1
Statement: This issue did not affect the versions of libmspack as shipped with Red Hat Enterprise Linux 7.