cabextract 1.5 and libmspack 0.5alpha have been released.
The main changes are fixes in handling invalid files, which were
found by Debian researchers using the American fuzzy lop (afl) tool.
These issues have been fixed.
- CVE-2014-9556: A CAB file with invalid file offset or length
(where offset + length == 2^32) causes an infinite loop in the
Quantum decoder on 32-bit architectures. [Debian bugs #772891,
- A CAB file with two folders, the second folder invalid, and a
file decompression order of folder 1, 2, 1, causes execution to
jump to NULL. [Debian bugs #773659, #774665]
- A CHM file with reset interval of zero causes division by
zero. [Debian bug #774725]
- A CHM file with invalid name lengths in PGML/PGMI blocks
causes over-read and segfaults on 32-bit architecture [Debian
bugs #774726, #775687]
- A CAB file with MSZIP-compressed data and a distance code of
30 causes a 1 byte over-read [Debian bug #775498]
- A CAB file with zero-length filenames causes a 1 byte
- A CAB file with invalid UTF-8 encoded filenames causes
over-read of up to 5 bytes.
- A CAB or CHM file with LZX-compressed data ending early during
an odd-sized uncompressed block can cause a 1-byte under-read.
[Debian bug #775499]
Additionally, cabextract and libmspack's
mschm_decompressor::fast_find now have more robust handling of
invalid UTF-8 encoded filenames, and the bundled extra script
wince_rename now creates files' install directories.
cabextract and libmspack can be downloaded from