CVE-2017-11423

Name	CVE-2017-11423
Description	The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1279-1, DSA-3946-1
Debian Bugs	868956

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
clamav (PTS)	bullseye	0.103.10+dfsg-0+deb11u1	fixed
	bookworm	1.0.7+dfsg-1~deb12u1	fixed
	sid, trixie	1.4.1+dfsg-1	fixed
libmspack (PTS)	bullseye	0.10.1-2	fixed
	bookworm	0.11-1	fixed
	sid, trixie	0.11-1.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
clamav	source	wheezy	0.99.2+dfsg-0+deb7u5		DLA-1279-1
clamav	source	stretch	0.99.4+dfsg-1+deb9u1
clamav	source	(unstable)	0.99.3~beta1+dfsg-1	unimportant
libmspack	source	jessie	0.5-1+deb8u1		DSA-3946-1
libmspack	source	stretch	0.5-1+deb9u1		DSA-3946-1
libmspack	source	(unstable)	0.6-1			868956

Notes

https://bugzilla.clamav.net/show_bug.cgi?id=11873 (not public)
https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38
https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul
ClamAV: https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13
ClamaV: https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96
ClamAV uses the libmspack system library when available. This is the
case from starting from Debian Jessie. Debian Wheezy does not have
libmspack and thus need to have the fix as well in the src:clamav source package.