Hanno Böck
2018-10-22 06:17:35 UTC
New cabextract and libmspack fix a buffer overflow.
Notably libmspack is also used in clamav.
Forwarding the release notes here:
--------------------------
Hello all,
cabextract 1.8 has been released. It greatly improves its ability to
extract damaged files with the "-f" option, and the cabinfo command has
been rewritten.
It also fixes this bug:
* if a CAB file has a Quantum-compressed datablock with exactly 38912
compressed bytes, cabextract will write exactly one byte beyond its
input buffer.
cabextract can be downloaded from https://www.cabextract.org.uk/
SHA256 sums:
2d9b5ba24239ba6eac02bdee6f2fa208bb4d0a14c84ed81792fc35c213140f38
cabextract-1.8-1.i386.rpm
54138e652fa0fa39e021d66b6315994f906cda965ddb786117f28276f135664e
cabextract-1.8-1.src.rpm
082b8ec149babc9ae10b5d6568eb764c67e75c3cfc379b1211b88b980febebd7
cabextract-1.8.tar.gz
libmspack 0.8alpha has also been released.
It adds the new parameter MSCABD_PARAM_SALVAGE which permits salvaging
badly damaged files rather than rejecting them outright.
It fixes several bugs:
* the above 38912-byte Quantum CAB block bug
* libmspack now also rejects blank CHM filenames that are blank because
they have embedded null bytes, not just because they are zero-length
* chmextract now protects you from absolute/relative pathnames in CHM
files
libmspack can be downloaded from
https://www.cabextract.org.uk/libmspack/
SHA256 sum:
0533792e9561375a5fce1bc96bbc65ec778af486e0daa3803b226da9244addaf
libmspack-0.8alpha.tar.gz
If you wish to patch an older version, please look at commits |8759da8,
||7cadd48 and ||40ef1b4 in the git repository.|
Regards
Stuart
Notably libmspack is also used in clamav.
Forwarding the release notes here:
--------------------------
Hello all,
cabextract 1.8 has been released. It greatly improves its ability to
extract damaged files with the "-f" option, and the cabinfo command has
been rewritten.
It also fixes this bug:
* if a CAB file has a Quantum-compressed datablock with exactly 38912
compressed bytes, cabextract will write exactly one byte beyond its
input buffer.
cabextract can be downloaded from https://www.cabextract.org.uk/
SHA256 sums:
2d9b5ba24239ba6eac02bdee6f2fa208bb4d0a14c84ed81792fc35c213140f38
cabextract-1.8-1.i386.rpm
54138e652fa0fa39e021d66b6315994f906cda965ddb786117f28276f135664e
cabextract-1.8-1.src.rpm
082b8ec149babc9ae10b5d6568eb764c67e75c3cfc379b1211b88b980febebd7
cabextract-1.8.tar.gz
libmspack 0.8alpha has also been released.
It adds the new parameter MSCABD_PARAM_SALVAGE which permits salvaging
badly damaged files rather than rejecting them outright.
It fixes several bugs:
* the above 38912-byte Quantum CAB block bug
* libmspack now also rejects blank CHM filenames that are blank because
they have embedded null bytes, not just because they are zero-length
* chmextract now protects you from absolute/relative pathnames in CHM
files
libmspack can be downloaded from
https://www.cabextract.org.uk/libmspack/
SHA256 sum:
0533792e9561375a5fce1bc96bbc65ec778af486e0daa3803b226da9244addaf
libmspack-0.8alpha.tar.gz
If you wish to patch an older version, please look at commits |8759da8,
||7cadd48 and ||40ef1b4 in the git repository.|
Regards
Stuart
--
Hanno Böck
https://hboeck.de/
mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Hanno Böck
https://hboeck.de/
mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42