[Pkg-clamav-devel] Bugfix for #507624 prepared

Michael Tautschnig mt at debian.org
Wed Dec 3 05:52:30 UTC 2008 

> Dear Security Team,
> 
> One of our users has reported a possible DoS against the clamav scanning engine
> (#507624). Upstream has already included a fix in 0.94.2, which is currently in
> unstable and a similar version has been uploaded to etch-volatile already. The
> versions in etch and lenny remain affected. For lenny, a patched version could
> be prepared easily, but we will rather try to get sid's version released.
> 
> The attached patch provides a fix for etch-security. It does, however, not
> include the previously sent patch for #505134. We could upload a package
> containing both bugfixes at any time. If you prefer to only include one of
> those, this is also prepared easily.
> 

Unfortunately the previous patch was missing one of the necessary changes. This
has been fixed in the new patch, attached to this message.

Best,
Michael

-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 50329c3..a3d029f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,8 +2,10 @@ clamav (0.90.1dfsg-4etch16) stable-security; urgency=high
 
   * libclamav/vba_extract.c: off-by-one error causing possible buffer overflow
     (Closes: #505134)
+  * libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit()
+    (Closes: #507624)
 
- -- Stephen Gran <sgran at debian.org>  Tue, 11 Nov 2008 22:29:12 +0100
+ -- Stephen Gran <sgran at debian.org>  Tue, 02 Dec 2008 20:36:31 -0800
 
 clamav (0.90.1dfsg-4etch15) stable-security; urgency=low
 
diff --git a/debian/patches/00list b/debian/patches/00list
index 27caae2..37b710f 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -24,3 +24,4 @@
 46.fd-leak.CVE-2008-3914.dpatch
 47.manager.c.CVE-2008-3913.dpatch
 48.vba_unicode.c.dpatch
+49.special.c.dpatch
diff --git a/debian/patches/49.special.c.dpatch b/debian/patches/49.special.c.dpatch
new file mode 100644
index 0000000..068b61d
--- /dev/null
+++ b/debian/patches/49.special.c.dpatch
@@ -0,0 +1,137 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 48.vba_unicode.c.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: get_unicode_name() off-by-one buffer overflow
+
+ at DPATCH@
+diff --git a/libclamav/others.h b/libclamav/others.h
+index 66cade9..22df93c 100644
+--- a/libclamav/others.h
++++ b/libclamav/others.h
+@@ -80,6 +80,7 @@ typedef struct {
+     const struct cl_engine *engine;
+     const struct cl_limits *limits;
+     unsigned int options;
++    unsigned int recursion;
+     unsigned int arec;
+     unsigned int mrec;
+     struct cli_dconf *dconf;
+diff --git a/libclamav/scanners.c b/libclamav/scanners.c
+index c4d1d8b..1d53fa6 100644
+--- a/libclamav/scanners.c
++++ b/libclamav/scanners.c
+@@ -1451,13 +1451,13 @@ static int cli_scanriff(int desc, const char **virname)
+     return ret;
+ }
+ 
+-static int cli_scanjpeg(int desc, const char **virname)
++static int cli_scanjpeg(int desc, cli_ctx *ctx)
+ {
+ 	int ret = CL_CLEAN;
+ 
+-    if(cli_check_jpeg_exploit(desc) == 1) {
++    if(cli_check_jpeg_exploit(desc, ctx) == 1) {
+ 	ret = CL_VIRUS;
+-	*virname = "Exploit.W32.MS04-028";
++	*ctx->virname = "Exploit.W32.MS04-028";
+     }
+ 
+     return ret;
+@@ -1905,7 +1905,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
+ 
+ 	case CL_TYPE_GRAPHICS:
+ 	    if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG))
+-		ret = cli_scanjpeg(desc, ctx->virname);
++		ret = cli_scanjpeg(desc, ctx);
+ 	    break;
+ 
+ 	case CL_TYPE_PDF:
+diff --git a/libclamav/special.c b/libclamav/special.c
+index 777f103..2179db4 100644
+--- a/libclamav/special.c
++++ b/libclamav/special.c
+@@ -82,7 +82,7 @@ int cli_check_mydoom_log(int desc, const char **virname)
+     return retval;
+ }
+ 
+-static int jpeg_check_photoshop_8bim(int fd)
++static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx)
+ {
+ 	unsigned char bim[5];
+ 	uint16_t id, ntmp;
+@@ -137,7 +137,7 @@ static int jpeg_check_photoshop_8bim(int fd)
+ 	/* Jump past header */
+ 	lseek(fd, 28, SEEK_CUR);
+ 
+-	retval = cli_check_jpeg_exploit(fd);
++	retval = cli_check_jpeg_exploit(fd, ctx);
+ 	if (retval == 1) {
+ 		cli_dbgmsg("Exploit found in thumbnail\n");
+ 	}
+@@ -146,7 +146,7 @@ static int jpeg_check_photoshop_8bim(int fd)
+ 	return retval;
+ }
+ 
+-static int jpeg_check_photoshop(int fd)
++static int jpeg_check_photoshop(int fd, cli_ctx *ctx)
+ {
+ 	int retval;
+ 	unsigned char buffer[14];
+@@ -163,7 +163,7 @@ static int jpeg_check_photoshop(int fd)
+ 	cli_dbgmsg("Found Photoshop segment\n");
+ 	do {
+ 		old = lseek(fd, 0, SEEK_CUR);
+-		retval = jpeg_check_photoshop_8bim(fd);
++		retval = jpeg_check_photoshop_8bim(fd, ctx);
+ 		new = lseek(fd, 0, SEEK_CUR);
+ 		if(new <= old)
+ 			break;
+@@ -175,7 +175,7 @@ static int jpeg_check_photoshop(int fd)
+ 	return retval;
+ }
+ 
+-int cli_check_jpeg_exploit(int fd)
++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx)
+ {
+ 	unsigned char buffer[4];
+ 	off_t offset;
+@@ -183,6 +183,8 @@ int cli_check_jpeg_exploit(int fd)
+ 
+ 
+ 	cli_dbgmsg("in cli_check_jpeg_exploit()\n");
++	if(ctx->recursion > ctx->limits->maxreclevel)
++	    return CL_EMAXREC;
+ 
+ 	if (cli_readn(fd, buffer, 2) != 2) {
+ 		return 0;
+@@ -226,9 +228,11 @@ int cli_check_jpeg_exploit(int fd)
+ 
+ 		if (buffer[1] == 0xed) {
+ 			/* Possible Photoshop file */
+-			if ((retval=jpeg_check_photoshop(fd)) != 0) {
++			ctx->recursion++;
++			retval=jpeg_check_photoshop(fd, ctx);
++			ctx->recursion--;
++			if (retval != 0)
+ 				return retval;
+-			}
+ 		}
+ 
+ 		if (lseek(fd, offset, SEEK_SET) != offset) {
+diff --git a/libclamav/special.h b/libclamav/special.h
+index 69aeeb9..de0d3ad 100644
+--- a/libclamav/special.h
++++ b/libclamav/special.h
+@@ -20,8 +20,10 @@
+ #ifndef __SPECIAL_H
+ #define __SPECIAL_H
+ 
++#include "others.h"
++
+ int cli_check_mydoom_log(int desc, const char **virname);
+-int cli_check_jpeg_exploit(int fd);
++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx);
+ int cli_check_riff_exploit(int fd);
+ 
+ #endif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20081202/9cf07ebc/attachment.pgp

More information about the Pkg-clamav-devel mailing list