diff -Nru libmspack-0.7/debian/changelog libmspack-0.7/debian/changelog
--- libmspack-0.7/debian/changelog	2018-07-29 09:53:39.000000000 +0000
+++ libmspack-0.7/debian/changelog	2018-11-08 11:54:34.000000000 +0000
@@ -1,3 +1,15 @@
+libmspack (0.7-1ubuntu0.1) cosmic-security; urgency=medium
+
+  * SECURITY UPDATE: Denial of service
+    - debian/patches/CVE-2018-18585.patch: Ensure file names are valid in chmd.c
+    - CVE-2018-18585
+  * SECURITY UPDATE: One byte buffer overflow -
+    - debian/patches/CVE-2018-18584.patch: Ensure input buffer is large
+      enough in cab.h
+    - CVE-2018-18584
+
+ -- Alex Murray <alex.murray@canonical.com>  Thu, 08 Nov 2018 22:24:34 +1030
+
 libmspack (0.7-1) unstable; urgency=medium
 
   * NUR:
diff -Nru libmspack-0.7/debian/control libmspack-0.7/debian/control
--- libmspack-0.7/debian/control	2018-07-29 04:03:32.000000000 +0000
+++ libmspack-0.7/debian/control	2018-11-08 11:54:34.000000000 +0000
@@ -1,7 +1,8 @@
 Source: libmspack
 Section: libs
 Priority: optional
-Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
 Standards-Version: 4.1.4
 Build-Depends: dpkg-dev (>= 1.16.1.1), debhelper (>= 11)
 Build-Depends-indep: doxygen, graphviz
diff -Nru libmspack-0.7/debian/patches/CVE-2018-18584.patch libmspack-0.7/debian/patches/CVE-2018-18584.patch
--- libmspack-0.7/debian/patches/CVE-2018-18584.patch	1970-01-01 00:00:00.000000000 +0000
+++ libmspack-0.7/debian/patches/CVE-2018-18584.patch	2018-11-08 11:54:09.000000000 +0000
@@ -0,0 +1,64 @@
+From 40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2 Mon Sep 17 00:00:00 2001
+From: Stuart Caie <kyzer@cabextract.org.uk>
+Date: Wed, 17 Oct 2018 11:33:35 +0100
+Subject: [PATCH] CAB block input buffer is one byte too small for maximal
+ Quantum block
+
+---
+ libmspack/ChangeLog    |  8 ++++++++
+ libmspack/mspack/cab.h | 12 ++++++++++--
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+Index: libmspack-0.7/ChangeLog
+===================================================================
+--- libmspack-0.7.orig/ChangeLog
++++ libmspack-0.7/ChangeLog
+@@ -1,5 +1,13 @@
+ 2018-10-17  Stuart Caie <kyzer@cabextract.org.uk>
+ 
++	* cab.h: Make the CAB block input buffer one byte larger, to allow
++	a maximum-allowed-size input block and the special extra byte added
++	after the block by cabd_sys_read_block to help Quantum alignment.
++	Thanks to Henri Salo for reporting this.
++
++
++2018-10-17  Stuart Caie <kyzer@cabextract.org.uk>
++
+         * chmd_read_headers(): again reject files with blank filenames, this
+         time because their 1st or 2nd byte is null, not because their length
+         is zero.  Thanks again to Hanno Böck for finding the issue.
+Index: libmspack-0.7/mspack/cab.h
+===================================================================
+--- libmspack-0.7.orig/mspack/cab.h
++++ libmspack-0.7/mspack/cab.h
+@@ -1,5 +1,5 @@
+ /* This file is part of libmspack.
+- * (C) 2003-2004 Stuart Caie.
++ * (C) 2003-2018 Stuart Caie.
+  *
+  * libmspack is free software; you can redistribute it and/or modify it under
+  * the terms of the GNU Lesser General Public License (LGPL) version 2.1
+@@ -70,6 +70,14 @@
+ #define CAB_BLOCKMAX (32768)
+ #define CAB_INPUTMAX (CAB_BLOCKMAX+6144)
+ 
++/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block
++ * plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment.
++ *
++ * When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be
++ * up to 65535 bytes, so max input buffer size needed is 65535 + 1
++ */
++#define CAB_INPUTBUF (65535 + 1)
++
+ /* There are no more than 65535 data blocks per folder, so a folder cannot
+  * be more than 32768*65535 bytes in length. As files cannot span more than
+  * one folder, this is also their max offset, length and offset+length limit.
+@@ -100,7 +108,7 @@ struct mscabd_decompress_state {
+   struct mspack_file *infh;          /* input file handle                    */
+   struct mspack_file *outfh;         /* output file handle                   */
+   unsigned char *i_ptr, *i_end;      /* input data consumed, end             */
+-  unsigned char input[CAB_INPUTMAX]; /* one input block of data              */
++  unsigned char input[CAB_INPUTBUF]; /* one input block of data              */
+ };
+ 
+ struct mscab_decompressor_p {
diff -Nru libmspack-0.7/debian/patches/CVE-2018-18585.patch libmspack-0.7/debian/patches/CVE-2018-18585.patch
--- libmspack-0.7/debian/patches/CVE-2018-18585.patch	1970-01-01 00:00:00.000000000 +0000
+++ libmspack-0.7/debian/patches/CVE-2018-18585.patch	2018-11-08 11:53:44.000000000 +0000
@@ -0,0 +1,47 @@
+From 8759da8db6ec9e866cb8eb143313f397f925bb4f Mon Sep 17 00:00:00 2001
+From: Stuart Caie <kyzer@cabextract.org.uk>
+Date: Wed, 17 Oct 2018 11:29:03 +0100
+Subject: [PATCH] Avoid returning CHM file entries that are "blank" because
+ they have embedded null bytes
+
+---
+ libmspack/ChangeLog     | 6 ++++++
+ libmspack/mspack/chmd.c | 6 +++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+Index: libmspack-0.7/ChangeLog
+===================================================================
+--- libmspack-0.7.orig/ChangeLog
++++ libmspack-0.7/ChangeLog
+@@ -1,3 +1,9 @@
++2018-10-17  Stuart Caie <kyzer@cabextract.org.uk>
++
++        * chmd_read_headers(): again reject files with blank filenames, this
++        time because their 1st or 2nd byte is null, not because their length
++        is zero.  Thanks again to Hanno Böck for finding the issue.
++
+ 2018-04-26  Stuart Caie <kyzer@cabextract.org.uk>
+ 
+ 	* read_chunk(): the test that chunk numbers are in bounds was off
+Index: libmspack-0.7/mspack/chmd.c
+===================================================================
+--- libmspack-0.7.orig/mspack/chmd.c
++++ libmspack-0.7/mspack/chmd.c
+@@ -447,14 +447,14 @@ static int chmd_read_headers(struct mspa
+     while (num_entries--) {
+       READ_ENCINT(name_len);
+       if (name_len > (unsigned int) (end - p)) goto chunk_end;
+-      /* consider blank filenames to be an error */
+-      if (name_len == 0) goto chunk_end;
+       name = p; p += name_len;
+-
+       READ_ENCINT(section);
+       READ_ENCINT(offset);
+       READ_ENCINT(length);
+ 
++      /* ignore blank or one-char (e.g. "/") filenames we'd return as blank */
++      if (name_len < 2 || !name[0] || !name[1]) continue;
++
+       /* empty files and directory names are stored as a file entry at
+        * offset 0 with length 0. We want to keep empty files, but not
+        * directory names, which end with a "/" */
diff -Nru libmspack-0.7/debian/patches/series libmspack-0.7/debian/patches/series
--- libmspack-0.7/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libmspack-0.7/debian/patches/series	2018-11-08 11:54:09.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2018-18585.patch
+CVE-2018-18584.patch