{"id":"CVE-2017-6419","details":"mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file.","modified":"2026-04-11T04:14:38.288533Z","published":"2017-08-07T03:29:00.277Z","related":["MGASA-2017-0283","SUSE-SU-2018:0254-1","SUSE-SU-2018:0255-1","SUSE-SU-2018:0809-1","SUSE-SU-2018:0863-1","openSUSE-SU-2024:10685-1","openSUSE-SU-2024:10958-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/02/msg00014.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3946"},{"type":"ADVISORY","url":"https://github.com/varsleak/varsleak-vul/blob/master/clamav-vul/heap-overflow/clamav_chm_crash.md"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201804-16"},{"type":"REPORT","url":"https://bugzilla.clamav.net/show_bug.cgi?id=11701"},{"type":"FIX","url":"https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cisco-talos/clamav","events":[{"introduced":"0"},{"fixed":"a83773682e856ad6529ba6db8d1792e6d515d7f1"}]},{"type":"GIT","repo":"https://github.com/kyz/libmspack","events":[{"introduced":"0"},{"last_affected":"03296dd44347ab3111ba23b8e3945e2b537b6275"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.5-alpha"}]}}],"versions":["clamav-0.96","clamav-0.96.2","clamav-0.96.3","clamav-0.96.4","clamav-0.96.5","clamav-0.96rc1","clamav-0.96rc2","clamav-0.97","clamav-0.97rc","merge-llvm-97877","r5076","v0.0.20060920alpha","v0.3alpha","v0.4alpha","v0.5alpha","v1.0","v1.1","v1.2","v1.3","v1.4"],"database_specific":{"vanir_signatures_modified":"2026-04-11T04:14:38Z","vanir_signatures":[{"target":{"function":"mspack_fmap_free","file":"libclamav/libmspack.c"},"id":"CVE-2017-6419-158e5c12","digest":{"length":64,"function_hash":"105314170104537119795892195005646536883"},"source":"https://github.com/cisco-talos/clamav/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1","signature_version":"v1","signature_type":"Function","deprecated":false},{"target":{"function":"lzxd_free","file":"libclamav/libmspack-0.5alpha/mspack/lzxd.c"},"id":"CVE-2017-6419-2dff9d70","digest":{"length":179,"function_hash":"36425859503893486122199183962679951196"},"source":"https://github.com/cisco-talos/clamav/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1","signature_version":"v1","signature_type":"Function","deprecated":false},{"target":{"file":"libclamav/libmspack-0.5alpha/mspack/lzxd.c"},"id":"CVE-2017-6419-3c94d9a1","digest":{"threshold":0.9,"line_hashes":["136812049944724980978743740024966289697","239642238586611879435853196125623206467","40883855409387376279425001697949305055","207670088480332678768897160205840489720","137050635423474274304079970391599644070","256192828004486556560188961880269201204","92030697883542239907420004418267516576","133434634387658503944555526626693766626","57477167490934286654239258003596752208","299735408700367508640607568273422838006"]},"source":"https://github.com/cisco-talos/clamav/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1","signature_version":"v1","signature_type":"Line","deprecated":false},{"target":{"file":"libclamav/libmspack.c"},"id":"CVE-2017-6419-565b7fba","digest":{"threshold":0.9,"line_hashes":["39213307635245385338061781708479438537","161293350000683804664213130242652150668","179719491279128692184227813514265352406","111485140398853709928158643894428398984"]},"source":"https://github.com/cisco-talos/clamav/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1","signature_version":"v1","signature_type":"Line","deprecated":false},{"target":{"function":"lzxd_decompress","file":"libclamav/libmspack-0.5alpha/mspack/lzxd.c"},"id":"CVE-2017-6419-d5ca588a","digest":{"length":10410,"function_hash":"157883946808374614544341957531013484112"},"source":"https://github.com/cisco-talos/clamav/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1","signature_version":"v1","signature_type":"Function","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6419.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}