Your submission was sent successfully! Close

CVE-2017-11423

Published: 18 July 2017

The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
clamav
Launchpad, Ubuntu, Debian
artful Not vulnerable
(uses system libmspack)
bionic Not vulnerable
(uses system libmspack)
cosmic Not vulnerable
(uses system libmspack)
disco Not vulnerable
(uses system libmspack)
precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(uses system libmspack)
zesty Not vulnerable
(uses system libmspack)
Patches:
upstream: https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13
upstream: https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96

libmspack
Launchpad, Ubuntu, Debian
artful Not vulnerable
(0.6-3)
bionic Not vulnerable
(0.6-3)
cosmic Not vulnerable
(0.6-3)
disco Not vulnerable
(0.6-3)
precise Does not exist

trusty Does not exist
(trusty was needed)
upstream
Released (0.6-1)
xenial
Released (0.5-1ubuntu0.16.04.1)
yakkety Ignored
(reached end-of-life)
zesty
Released (0.5-1ubuntu0.17.04.1)
Patches:


upstream: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38