Security update for libmspack SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:0069-2 Final 1 1 2022-02-18T08:29:06Z current 2022-02-18T08:29:06Z 2022-02-18T08:29:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libmspack This update for libmspack fixes the following issues: - CVE-2018-18586: Fixed directory traversal in chmextract by adding anti '../' and leading slash protection (bsc#1113040). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container rancher/elemental-teal-iso/5.4:latest-2022-69,Container rancher/elemental-teal-rt/5.3:latest-2022-69,Container rancher/elemental-teal-rt/5.4:latest-2022-69,Container rancher/elemental-teal/5.3:latest-2022-69,Container rancher/elemental-teal/5.4:latest-2022-69,Container suse/sle-micro-rancher/5.2:latest-2022-69,Container suse/sle-micro-rancher/5.3:latest-2022-69,Container suse/sle-micro-rancher/5.4:latest-2022-69,Image SLES15-SAP-Azure-LI-BYOS-Production-2022-69,Image SLES15-SAP-Azure-VLI-BYOS-Production-2022-69,Image SLES15-SP1-SAP-Azure-LI-BYOS-Production-2022-69,Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production-2022-69,Image SLES15-SP2-SAP-Azure-LI-BYOS-Production-2022-69,Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production-2022-69,Image SLES15-SP3-CHOST-BYOS-SAP-CCloud-2022-69,Image SLES15-SP3-SAP-Azure-LI-BYOS-Production-2022-69,Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production-2022-69,Image SLES15-SP4-CHOST-BYOS-SAP-CCloud-2022-69,Image SLES15-SP4-SAP-Azure-LI-BYOS-2022-69,Image SLES15-SP4-SAP-Azure-LI-BYOS-Production-2022-69,Image SLES15-SP4-SAP-Azure-VLI-BYOS-2022-69,Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production-2022-69,Image SLES15-SP5-CHOST-BYOS-SAP-CCloud-2022-69,SUSE-2022-69,SUSE-SLE-Product-RT-15-SP2-2022-69 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20220069-2/ Link for SUSE-SU-2022:0069-2 https://lists.suse.com/pipermail/sle-security-updates/2022-February/010258.html E-Mail link for SUSE-SU-2022:0069-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1113040 SUSE Bug 1113040 https://www.suse.com/security/cve/CVE-2018-18586/ SUSE CVE CVE-2018-18586 page Container rancher/elemental-teal-iso/5.4:latest Container rancher/elemental-teal-rt/5.3:latest Container rancher/elemental-teal-rt/5.4:latest Container rancher/elemental-teal/5.3:latest Container rancher/elemental-teal/5.4:latest Container suse/sle-micro-rancher/5.2:latest Container suse/sle-micro-rancher/5.3:latest Container suse/sle-micro-rancher/5.4:latest Image SLES15-SAP-Azure-LI-BYOS-Production Image SLES15-SAP-Azure-VLI-BYOS-Production Image SLES15-SP1-SAP-Azure-LI-BYOS-Production Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production Image SLES15-SP2-SAP-Azure-LI-BYOS-Production Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production Image SLES15-SP3-CHOST-BYOS-SAP-CCloud Image SLES15-SP3-SAP-Azure-LI-BYOS-Production Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production Image SLES15-SP4-CHOST-BYOS-SAP-CCloud Image SLES15-SP4-SAP-Azure-LI-BYOS Image SLES15-SP4-SAP-Azure-LI-BYOS-Production Image SLES15-SP4-SAP-Azure-VLI-BYOS Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production Image SLES15-SP5-CHOST-BYOS-SAP-CCloud SUSE Linux Enterprise Real Time 15 SP2 libmspack0-0.6-3.14.1 libmspack-devel-0.6-3.14.1 libmspack0-32bit-0.6-3.14.1 libmspack0-64bit-0.6-3.14.1 mspack-tools-0.6-3.14.1 libmspack0-0.6-3.14.1 as a component of Container rancher/elemental-teal-iso/5.4:latest libmspack0-0.6-3.14.1 as a component of Container rancher/elemental-teal-rt/5.3:latest libmspack0-0.6-3.14.1 as a component of Container rancher/elemental-teal-rt/5.4:latest libmspack0-0.6-3.14.1 as a component of Container rancher/elemental-teal/5.3:latest libmspack0-0.6-3.14.1 as a component of Container rancher/elemental-teal/5.4:latest libmspack0-0.6-3.14.1 as a component of Container suse/sle-micro-rancher/5.2:latest libmspack0-0.6-3.14.1 as a component of Container suse/sle-micro-rancher/5.3:latest libmspack0-0.6-3.14.1 as a component of Container suse/sle-micro-rancher/5.4:latest libmspack0-0.6-3.14.1 as a component of Image SLES15-SAP-Azure-LI-BYOS-Production libmspack0-0.6-3.14.1 as a component of Image SLES15-SAP-Azure-VLI-BYOS-Production libmspack0-0.6-3.14.1 as a component of Image SLES15-SP1-SAP-Azure-LI-BYOS-Production libmspack0-0.6-3.14.1 as a component of Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production libmspack0-0.6-3.14.1 as a component of Image SLES15-SP2-SAP-Azure-LI-BYOS-Production libmspack0-0.6-3.14.1 as a component of Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production libmspack0-0.6-3.14.1 as a component of Image SLES15-SP3-CHOST-BYOS-SAP-CCloud libmspack0-0.6-3.14.1 as a component of Image SLES15-SP3-SAP-Azure-LI-BYOS-Production libmspack0-0.6-3.14.1 as a component of Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production libmspack0-0.6-3.14.1 as a component of Image SLES15-SP4-CHOST-BYOS-SAP-CCloud libmspack0-0.6-3.14.1 as a component of Image SLES15-SP4-SAP-Azure-LI-BYOS libmspack0-0.6-3.14.1 as a component of Image SLES15-SP4-SAP-Azure-LI-BYOS-Production libmspack0-0.6-3.14.1 as a component of Image SLES15-SP4-SAP-Azure-VLI-BYOS libmspack0-0.6-3.14.1 as a component of Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production libmspack0-0.6-3.14.1 as a component of Image SLES15-SP5-CHOST-BYOS-SAP-CCloud libmspack-devel-0.6-3.14.1 as a component of SUSE Linux Enterprise Real Time 15 SP2 libmspack0-0.6-3.14.1 as a component of SUSE Linux Enterprise Real Time 15 SP2 ** DISPUTED ** chmextract.c in the chmextract sample program, as distributed with libmspack before 0.8alpha, does not protect against absolute/relative pathnames in CHM files, leading to Directory Traversal. NOTE: the vendor disputes that this is a libmspack vulnerability, because chmextract.c was only intended as a source-code example, not a supported application. CVE-2018-18586 Container rancher/elemental-teal-iso/5.4:latest:libmspack0-0.6-3.14.1 Container rancher/elemental-teal-rt/5.3:latest:libmspack0-0.6-3.14.1 Container rancher/elemental-teal-rt/5.4:latest:libmspack0-0.6-3.14.1 Container rancher/elemental-teal/5.3:latest:libmspack0-0.6-3.14.1 Container rancher/elemental-teal/5.4:latest:libmspack0-0.6-3.14.1 Container suse/sle-micro-rancher/5.2:latest:libmspack0-0.6-3.14.1 Container suse/sle-micro-rancher/5.3:latest:libmspack0-0.6-3.14.1 Container suse/sle-micro-rancher/5.4:latest:libmspack0-0.6-3.14.1 Image SLES15-SAP-Azure-LI-BYOS-Production:libmspack0-0.6-3.14.1 Image SLES15-SAP-Azure-VLI-BYOS-Production:libmspack0-0.6-3.14.1 Image SLES15-SP1-SAP-Azure-LI-BYOS-Production:libmspack0-0.6-3.14.1 Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production:libmspack0-0.6-3.14.1 Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:libmspack0-0.6-3.14.1 Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:libmspack0-0.6-3.14.1 Image SLES15-SP3-CHOST-BYOS-SAP-CCloud:libmspack0-0.6-3.14.1 Image SLES15-SP3-SAP-Azure-LI-BYOS-Production:libmspack0-0.6-3.14.1 Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production:libmspack0-0.6-3.14.1 Image SLES15-SP4-CHOST-BYOS-SAP-CCloud:libmspack0-0.6-3.14.1 Image SLES15-SP4-SAP-Azure-LI-BYOS-Production:libmspack0-0.6-3.14.1 Image SLES15-SP4-SAP-Azure-LI-BYOS:libmspack0-0.6-3.14.1 Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production:libmspack0-0.6-3.14.1 Image SLES15-SP4-SAP-Azure-VLI-BYOS:libmspack0-0.6-3.14.1 Image SLES15-SP5-CHOST-BYOS-SAP-CCloud:libmspack0-0.6-3.14.1 SUSE Linux Enterprise Real Time 15 SP2:libmspack-devel-0.6-3.14.1 SUSE Linux Enterprise Real Time 15 SP2:libmspack0-0.6-3.14.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20220069-2/ https://www.suse.com/security/cve/CVE-2018-18586.html CVE-2018-18586 https://bugzilla.suse.com/1113038 SUSE Bug 1113038 https://bugzilla.suse.com/1113039 SUSE Bug 1113039 https://bugzilla.suse.com/1113040 SUSE Bug 1113040