FreshPorts -- The Place For Ports If you buy from Amazon USA, please support us by using this link.
Follow us
Blog
Twitter

I am looking for an LTO tape library. Do you have one to spare?
Commit found by message id
Thu, 29 Jul 2010
[ 22:45:51 gabor ] Original commit 
cabextract archivers files touched by this commit  An older version of this port was marked as vulnerable. Program to extract Microsoft cabinet (.CAB) files
Update to 1.3, which fixes two security bugs. Detailed description
from the author follows.

Bug 1: Infinite loop in MS-ZIP decoder [1]

The MS-ZIP and Quantum decoders read bits in roughly the same way as the LZX
decoder, however they don't have "inject two fake bytes" code.

In the situation where read() provides zero bytes, e.g. at the end of file or
end of a CAB block, the LZX decoder handles this by injecting two fake bytes,
then returns an error on subsequent calls. MS-ZIP and Quantum instead return
zero bytes without error. However, all three decoders are written to presume
they will get at least one byte. So this could lead to an infinite loop in
MS-ZIP and Quantum. An infinite loop has definitely been seen in MS-ZIP -
there is a while loop in inflate() of an uncompressed block (block type 0)
which won't end until enough input is provided.

Partial solution: change "if (read < 0)" to "if (read <= 0)" in mszipd.c and
qtmd.c.
-
http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=90

However, this breaks compatibility with a number of MS-ZIP/Quantum encoded
files. A full solution would be to implement the same bit-reading system as
LZX. I've done this now, merging all the bit-reading and huffman-reading
code into two new files; readbits.h and readhuff.h
-
http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=95

There are several further changes made to integrate readbits.h and readhuff.h,
I recommend you look at the latest version in the source repository.
- http://libmspack.svn.sourceforge.net/viewvc/libmspack/libmspack/trunk/mspack/

Bug 2: Segmentation fault in "cabextract -t"

This bug may not affect you, depending on your implementation of
mspack_system->write(). It does cause a segfault in cabextract's
cabx_write() in "-t" (test archive) mode.

In the Quantum decoder, when the window wrap is reached, all currently
unwritten data is flushed to disk. Sometimes, less data is needed than
is flushed, which makes the variable out_bytes negative.

When the main decoding loop finishes, a final call to write() is made if
out_bytes is not zero. In that situation, it calls mspack_system->write() with
a negative byte count, e.g. -129 bytes. You should reject this. In
cabextract's "-t" mode, this is not caught, but instead converted to an
unsigned integer and passed to md5_process_bytes(), which tries to
read e.g. 4294967167 bytes, causing it to read beyond the end of
valid process space and thus segfault.

Solution:
- Break out to the end of the decoding loop immediately if the flush would be
more than needed.
  
http://libmspack.svn.sourceforge.net/viewvc/libmspack/libmspack/trunk/mspack/qtmd.c?r1=114&r2=113
- Add checking of the "bytes" argument in mspack_system read() / write()
implementations, just to be sure.
  
http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=118

Security:       SA40719 [1]

Number of ports [& non-ports] in this commit: 1

show all files

Login
User Login
Create account

Servers and bandwidth provided by
New York Internet, SuperNews, and RootBSD

This site
What is FreshPorts?
About the authors
FAQ
How big is it?
The latest upgrade!
Privacy
Forums
Blog
Contact

Search
Enter Keywords:
 
more...

Latest Vulnerabilities
bugzilla40*Apr 18
bugzilla40*Apr 18
bugzilla42*Apr 18
bugzilla42*Apr 18
bugzilla44*Apr 18
bugzilla44*Apr 18
curlApr 11
dbus-glibApr 11
libaudiofileApr 11
linux-f10-curlApr 11
linux-f10-dbus-glibApr 11
linux-f10-libaudiofileApr 11
linux-f10-nas-libsApr 11
linux-f10-openldapApr 11
mingw32-openssl*Apr 11

13 vulnerabilities affecting 18 ports have been reported in the past 14 days

* - modified, not new

All vulnerabilities


Ports
Home
Categories
Deleted ports
Sanity Test Failures
Newsfeeds


Statistics
Graphs
NEW Graphs (Javascript)
Traffic

Calculated hourly:
Port count 24365
Broken 174
Deprecated 86
Ignore 528
Forbidden 6
Restricted 263
No CDROM 108
Vulnerable 29
Expired 8
Set to expire 73
Interactive 22
new 24 hours 3
new 48 hours6
new 7 days18
new fortnight40
new month144


Servers and bandwidth provided by
New York Internet, SuperNews, and RootBSD
Valid HTML, CSS, and RSS.
Copyright © 2000-2014 Dan Langille. All rights reserved.