CVE-2017-11423

Published: 18 July 2017

The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
clamav
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system libmspack)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(uses system libmspack)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13
Upstream: https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96
libmspack
Launchpad, Ubuntu, Debian
Upstream
Released (0.6-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(0.6-3)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (0.5-1ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38