[Pkg-clamav-devel] Bug#776884: wheezy-pu: clamav/0.98.6+dfsg-0+deb7u1

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Mon Feb 2 21:11:12 UTC 2015 

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org at packages.debian.org
Usertags: pu

Dear release team:

Please unblock the new clamav release which is a security release +
embedded libsmspack security release.
This is what we have in unstable without the systemd support and
"clamdscan" package split.

tl;dr

There is a new security based clamav release which I would like to
upload to wheezy. Here is the upstream NEWS:
|    - library shared object revisions.
|    - installation issues on some Mac OS X and FreeBSD platforms.
|    - includes a patch from Sebastian Andrzej Siewior making
|      ClamAV pid files compatible with systemd.
|    - Fix a heap out of bounds condition with crafted Yoda's
|      crypter files. This issue was discovered by Felix Groebert
|      of the Google Security Team.
|    - Fix a heap out of bounds condition with crafted mew packer
|      files. This issue was discovered by Felix Groebert of the
|      Google Security Team.
|    - Fix a heap out of bounds condition with crafted upx packer
|      files. This issue was discovered by Kevin Szkudlapski of
|      Quarkslab.
|    - Fix a heap out of bounds condition with crafted upack packer
|      files. This issue was discovered by Sebastian Andrzej Siewior.
|      CVE-2014-9328.
|    - Compensate a crash due to incorrect compiler optimization when
|      handling crafted petite packer files. This issue was discovered
|      by Sebastian Andrzej Siewior.

I would write an announcement for the CVE once it made it into pu (there 
was none yet). The other look like a CVE wouldn't hurt :)

Aside from clamav update I updated the internal libmspack library. The
official announcement for the new library version was:
|The main changes are fixes in handling invalid files, which were found by
|Debian researchers using the American fuzzy lop (afl) tool.
|
| * CVE-2014-9556: A CAB file with invalid file offset or length (where
|   offset + length == 2^32) causes an infinite loop in the Quantum decoder
|   on 32-bit architectures. [Debian bugs #772891, #773041]
| * A CAB file with two folders, the second folder invalid, and a file
|   decompression order of folder 1, 2, 1, causes execution to jump to NULL.
|   [Debian bugs #773659, #774665]
| * A CHM file with reset interval of zero causes division by zero. [Debian
|   bug #774725]
| * A CHM file with invalid name lengths in PGML/PGMI blocks causes
|   over-read and segfaults on 32-bit architecture [Debian bugs #774726,
|   #775687]
| * A CAB file with MSZIP-compressed data and a distance code of 30 causes a
|   1 byte over-read [Debian bug #775498]
| * A CAB file with zero-length filenames causes a 1 byte over-read.
| * A CAB file with invalid UTF-8 encoded filenames causes over-read of up
|   to 5 bytes.
| * A CAB or CHM file with LZX-compressed data ending early during an
|   odd-sized uncompressed block can cause a 1-byte under-read. [Debian bug
|   #775499]
|
|These issues have been fixed.
|
|Additionally, cabextract and libmspack's mschm_decompressor::fast_find now
|have more robust handling of invalid UTF-8 encoded filenames, and the bundled
|extra script wince_rename now creates files' install directories.

The last pu update fixed all the critical bugs (critical as in hang/crash) except
for #775687. The Debian Maintainer of the library already uploaded it
for unstable and asked for an unblock for testing.

The debdiff is huge, 24MiB. One reason is that we no longer purge the
llvm source from the .orig archive (but it remains unused because we
link against the external package). Its been left in source because
older Ubuntu needs it. Since a few patches got integrated upstream,
the patches in debian/patches got renamed by git-dpm and it is hardly
usefull.
Instead please find attached the output of
|	git diff -M debian-0.98.5+dfsg-0+deb7u3
with 
- libclamav/c++/llvm/* removed (as explained)
- debian/patches/* removed, the applied patches are part of the diff
- docs/html/*.html removed, a lot of "s/Cisco 2014-11-12/Cisco 2014-11-21/"
  and version update
- the files
   libclamav/libmspack-0.5alpha/Makefile.in
   libclamav/libmspack-0.5alpha/aclocal.m4
   libclamav/libmspack-0.5alpha/compile
   libclamav/libmspack-0.5alpha/config.guess
   libclamav/libmspack-0.5alpha/config.sub
   libclamav/libmspack-0.5alpha/configure
   libclamav/libmspack-0.5alpha/depcomp
   libclamav/libmspack-0.5alpha/install-sh
   libclamav/libmspack-0.5alpha/missing

  because huge and part of libmspack upstream autoreconf run.

The result is attached and 147 KiB in size.

Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clamav_98_5_deb7u3_to_98_6_deb7u1.patch
Type: text/x-diff
Size: 150381 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20150202/8b8224df/attachment-0001.patch>

More information about the Pkg-clamav-devel mailing list