https://bugzilla.novell.com/show_bug.cgi?id=660942 https://bugzilla.novell.com/show_bug.cgi?id=660942#c0 Summary: Investigate cabextract/libmspack update Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: andreas.hanke@gmx-topmail.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20101221 Firefox/4.0b9pre cabextract-1.2 contains in its mspack/ subdir an exact subset of the code of libmspack-0.0.20060920alpha. cabextract-1.3 contains in its mspack/ subdir an exact subset of the code of libmspack-0.2alpha. In factory we have cabextract-1.3 and libmspack-0.0.20060920alpha. In the cabextract changelog we have - updated to version 1.3: * Bugs in the MS-ZIP and Quantum decompressors have been fixed. This fixes two security vulnerabilites: a segfault when testing a specific Quantum archive, and an infinite loop when testing or extracting a badly-formed MSZIP archive. So cabextract is fixed, but libmspack is not. Please investigate whether libmspack should be updated and whether cabextract be changed to use libmspack (build cabextract with ./configure --with-external-libmspack) to prevent that this happens again. See also https://bugzilla.redhat.com/show_bug.cgi?id=628147 Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.