CVE-2017-6419

Published: 06 August 2017

mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
clamav
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system libmspack)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(uses system libmspack)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (0.99.2+addedllvm-0ubuntu0.14.04.2)
Patches:
Upstream: https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1
libmspack
Launchpad, Ubuntu, Debian
Upstream
Released (0.6-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(0.6-3)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (0.5-1ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://github.com/kyz/libmspack/commit/6139a0b9e93fcb7fcf423e56aa825bc869e02229