Unrated severityNVD Advisory· Published Oct 23, 2018· Updated Aug 5, 2024

CVE-2018-18586

Description

chmextract.c in the chmextract sample program, as distributed with libmspack before 0.8alpha, does not protect against absolute/relative pathnames in CHM files, leading to Directory Traversal. NOTE: the vendor disputes that this is a libmspack vulnerability, because chmextract.c was only intended as a source-code example, not a supported application

Affected products

osv-coords8 versions
pkg:rpm/opensuse/libmspack&distro=openSUSE%20Leap%2015.3 pkg:rpm/suse/libmspack&distro=SUSE%20Linux%20Enterprise%20Micro%205.0 pkg:rpm/suse/libmspack&distro=SUSE%20Linux%20Enterprise%20Micro%205.1 pkg:rpm/suse/libmspack&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3 pkg:rpm/suse/libmspack&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2 pkg:rpm/suse/libmspack&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/libmspack&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/libmspack&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 0.6-3.14.1+ 7 more
- (no CPE)range: < 0.6-3.14.1
- (no CPE)range: < 0.6-3.14.1
- (no CPE)range: < 0.6-3.14.1
- (no CPE)range: < 0.6-3.14.1
- (no CPE)range: < 0.6-3.14.1
- (no CPE)range: < 0.4-15.13.1
- (no CPE)range: < 0.4-15.13.1
- (no CPE)range: < 0.4-15.13.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.gentoo.org/glsa/201903-20mitrevendor-advisoryx_refsource_GENTOO
bugs.debian.org/911639mitrex_refsource_MISC
github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6dmitrex_refsource_MISC
www.openwall.com/lists/oss-security/2018/10/22/1mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000