[Pkg-clamav-devel] Bugfix for #507624 prepared
Michael Tautschnig
mt at debian.org
Wed Dec 3 05:00:44 UTC 2008
Dear Security Team,
One of our users has reported a possible DoS against the clamav scanning engine
(#507624). Upstream has already included a fix in 0.94.2, which is currently in
unstable and a similar version has been uploaded to etch-volatile already. The
versions in etch and lenny remain affected. For lenny, a patched version could
be prepared easily, but we will rather try to get sid's version released.
The attached patch provides a fix for etch-security. It does, however, not
include the previously sent patch for #505134. We could upload a package
containing both bugfixes at any time. If you prefer to only include one of
those, this is also prepared easily.
This patch is provided despite the fact that we have not reached to any kind of
conclusion about making clamav a volatile-only package.
Best,
Michael
-------------- next part --------------
commit 2561103d6251a7903c4b131dc7eb74093e7aee50
Author: Michael Tautschnig <mt at debian.org>
Date: Tue Dec 2 20:41:39 2008 -0800
Backported fix for #507624
- libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit() (bb#1266)
- Using code from upstream SVN r4478
Signed-off-by: Michael Tautschnig <mt at debian.org>
diff --git a/debian/changelog b/debian/changelog
index 50329c3..a3d029f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,8 +2,10 @@ clamav (0.90.1dfsg-4etch16) stable-security; urgency=high
* libclamav/vba_extract.c: off-by-one error causing possible buffer overflow
(Closes: #505134)
+ * libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit()
+ (Closes: #507624)
- -- Stephen Gran <sgran at debian.org> Tue, 11 Nov 2008 22:29:12 +0100
+ -- Stephen Gran <sgran at debian.org> Tue, 02 Dec 2008 20:36:31 -0800
clamav (0.90.1dfsg-4etch15) stable-security; urgency=low
diff --git a/debian/patches/00list b/debian/patches/00list
index 27caae2..37b710f 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -24,3 +24,4 @@
46.fd-leak.CVE-2008-3914.dpatch
47.manager.c.CVE-2008-3913.dpatch
48.vba_unicode.c.dpatch
+49.special.c.dpatch
diff --git a/debian/patches/49.special.c.dpatch b/debian/patches/49.special.c.dpatch
new file mode 100644
index 0000000..cbadd93
--- /dev/null
+++ b/debian/patches/49.special.c.dpatch
@@ -0,0 +1,125 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 48.vba_unicode.c.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: get_unicode_name() off-by-one buffer overflow
+
+ at DPATCH@
+diff --git a/libclamav/scanners.c b/libclamav/scanners.c
+index c4d1d8b..1d53fa6 100644
+--- a/libclamav/scanners.c
++++ b/libclamav/scanners.c
+@@ -1451,13 +1451,13 @@ static int cli_scanriff(int desc, const char **virname)
+ return ret;
+ }
+
+-static int cli_scanjpeg(int desc, const char **virname)
++static int cli_scanjpeg(int desc, cli_ctx *ctx)
+ {
+ int ret = CL_CLEAN;
+
+- if(cli_check_jpeg_exploit(desc) == 1) {
++ if(cli_check_jpeg_exploit(desc, ctx) == 1) {
+ ret = CL_VIRUS;
+- *virname = "Exploit.W32.MS04-028";
++ *ctx->virname = "Exploit.W32.MS04-028";
+ }
+
+ return ret;
+@@ -1905,7 +1905,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
+
+ case CL_TYPE_GRAPHICS:
+ if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG))
+- ret = cli_scanjpeg(desc, ctx->virname);
++ ret = cli_scanjpeg(desc, ctx);
+ break;
+
+ case CL_TYPE_PDF:
+diff --git a/libclamav/special.c b/libclamav/special.c
+index 777f103..2179db4 100644
+--- a/libclamav/special.c
++++ b/libclamav/special.c
+@@ -82,7 +82,7 @@ int cli_check_mydoom_log(int desc, const char **virname)
+ return retval;
+ }
+
+-static int jpeg_check_photoshop_8bim(int fd)
++static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx)
+ {
+ unsigned char bim[5];
+ uint16_t id, ntmp;
+@@ -137,7 +137,7 @@ static int jpeg_check_photoshop_8bim(int fd)
+ /* Jump past header */
+ lseek(fd, 28, SEEK_CUR);
+
+- retval = cli_check_jpeg_exploit(fd);
++ retval = cli_check_jpeg_exploit(fd, ctx);
+ if (retval == 1) {
+ cli_dbgmsg("Exploit found in thumbnail\n");
+ }
+@@ -146,7 +146,7 @@ static int jpeg_check_photoshop_8bim(int fd)
+ return retval;
+ }
+
+-static int jpeg_check_photoshop(int fd)
++static int jpeg_check_photoshop(int fd, cli_ctx *ctx)
+ {
+ int retval;
+ unsigned char buffer[14];
+@@ -163,7 +163,7 @@ static int jpeg_check_photoshop(int fd)
+ cli_dbgmsg("Found Photoshop segment\n");
+ do {
+ old = lseek(fd, 0, SEEK_CUR);
+- retval = jpeg_check_photoshop_8bim(fd);
++ retval = jpeg_check_photoshop_8bim(fd, ctx);
+ new = lseek(fd, 0, SEEK_CUR);
+ if(new <= old)
+ break;
+@@ -175,7 +175,7 @@ static int jpeg_check_photoshop(int fd)
+ return retval;
+ }
+
+-int cli_check_jpeg_exploit(int fd)
++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx)
+ {
+ unsigned char buffer[4];
+ off_t offset;
+@@ -183,6 +183,8 @@ int cli_check_jpeg_exploit(int fd)
+
+
+ cli_dbgmsg("in cli_check_jpeg_exploit()\n");
++ if(ctx->recursion > ctx->limits->maxreclevel)
++ return CL_EMAXREC;
+
+ if (cli_readn(fd, buffer, 2) != 2) {
+ return 0;
+@@ -226,9 +228,11 @@ int cli_check_jpeg_exploit(int fd)
+
+ if (buffer[1] == 0xed) {
+ /* Possible Photoshop file */
+- if ((retval=jpeg_check_photoshop(fd)) != 0) {
++ ctx->recursion++;
++ retval=jpeg_check_photoshop(fd, ctx);
++ ctx->recursion--;
++ if (retval != 0)
+ return retval;
+- }
+ }
+
+ if (lseek(fd, offset, SEEK_SET) != offset) {
+diff --git a/libclamav/special.h b/libclamav/special.h
+index 69aeeb9..de0d3ad 100644
+--- a/libclamav/special.h
++++ b/libclamav/special.h
+@@ -20,8 +20,10 @@
+ #ifndef __SPECIAL_H
+ #define __SPECIAL_H
+
++#include "others.h"
++
+ int cli_check_mydoom_log(int desc, const char **virname);
+-int cli_check_jpeg_exploit(int fd);
++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx);
+ int cli_check_riff_exploit(int fd);
+
+ #endif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20081202/c35e26f4/attachment.pgp
More information about the Pkg-clamav-devel
mailing list