X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:mime-version:from:date:message-id :subject:to:content-type; q=dns; s=default; b=Aqb0ZlzJXQPCf8QjQT DyQQPUkw9avLcMwfsuoUjoheFhf4oTa15Hg1OP2JC3wSLK9QIGJrxhjEdMam4b50 f+eIffz4ByFcAqOc3i2mBOi7q+duCJMCzMQG5kvUgv1TSYrYkdj4EZITM3ZNfzNn etT66KZgSyErQGSMqr/X0sr1o= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:mime-version:from:date:message-id :subject:to:content-type; s=default; bh=zBUUgXQnptyd+KfTC8fEklEs Zlg=; b=DHMBbheuAJ49LIEwDbaW1r1Ywxq6QTKdldxJkwzbqRGfjfBg0DTeM4NG CP2MnrvYAs5uJD0ZAHeAVRKJFd/OVRv5raloMcBgBJ/tJGZR9A6Z/4jYiLH/wBlb 0folsRPIETIjHeTrWGwvQ1mD1IFw7OKkA7TqVm9WyFAqRvWzeUw= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-HELO: localhost.localdomain Reply-To: cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=4.9 required=5.0 tests=AWL,BAYES_40,FREEMAIL_FROM,KAM_FROM_URIBL_PCCC,RCVD_IN_DNSWL_LOW,SPF_PASS,UNSUBSCRIBE_BODY autolearn=no version=3.3.2 X-Received: by 10.229.227.71 with SMTP id iz7mr15256412qcb.0.1427323764259; Wed, 25 Mar 2015 15:49:24 -0700 (PDT) MIME-Version: 1.0 From: Kyzer Date: Wed, 25 Mar 2015 22:49:04 +0000 Message-Id: Subject: [ANNOUNCEMENT] Updated: cabextract-1.6-1 To: cygwin AT cygwin DOT com Content-Type: text/plain; charset=ISO-8859-1 X-IsSubscribed: yes Version1.6-1 of "cabextract" has been uploaded. cabextract is a utility for extracting Microsoft Cabinet (.CAB) files This update fixes a number of security bugs: * CVE-2014-9556: A CAB file with invalid file offset or length (where offset + length == 2^32) causes an infinite loop in the Quantum decoder on 32-bit architectures. [Debian bugs #772891, #773041] * CVE-2015-2060: A CAB file with overlong UTF-8 encodings for "/" can get its files extracted to an absolute path instead of the current directory. [Debian bug #778753] * On Cygwin, a CAB file using both "/" and "\" can evade checks for absolute files and "../" directory traversals and can get its files extracted to any path. * A CAB file with two folders, the second folder invalid, and a file decompression order of folder 1, 2, 1, causes execution to jump to NULL. [Debian bugs #773659, #774665] * A CAB file with MSZIP-compressed data and a distance code of 30 causes a 1 byte over-read [Debian bug #775498] * A CAB file with zero-length filenames causes a 1 byte over-read. * A CAB file with invalid UTF-8 encoded filenames causes over-read of up to 5 bytes. * A CAB file with LZX-compressed data ending early during an odd-sized uncompressed block can cause a 1-byte under-read. [Debian bug #775499] *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain.com cygwin.com If you need more information on unsubscribing, start reading here: http://sourceware.org/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at this URL. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple