CVE-2014-9732

Published: 11 June 2015

The cabd_extract function in cabd.c in libmspack before 0.5 does not properly maintain decompression callbacks in certain cases where an invalid file follows a valid file, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted CAB archive.

From the Ubuntu security team

It was discovered that cabextract incorrectly handled certain malformed CAB files. An attacker could use this issue to cause cabextract to crash, resulting in a denial of service.

Priority

Medium

Status

Package Release Status
cabextract
Launchpad, Ubuntu, Debian
Upstream
Released (1.6-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Needed

libmspack
Launchpad, Ubuntu, Debian
Upstream
Released (0.5-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)