[Pkg-clamav-devel] Bugfix for #507624 prepared

Michael Tautschnig mt at debian.org
Wed Dec 3 19:06:01 UTC 2008


> * Scott Kitterman:
> 
> > On Wednesday 03 December 2008 06:52, Florian Weimer wrote:
> >> * Scott Kitterman:
> >> > On Wed, 03 Dec 2008 12:39:59 +0100 Florian Weimer <fw at deneb.enyo.de> 
> > wrote:
> >> >>Your patch looks fine.  Is there a CVE yet?
> >> >
> >> > As of two days ago when I put the Ubuntu change together there was not.
> >>
> >> Oh well.  At least for the other bug, there's a CVE (CVE-2008-5050).
> >>
> >> What about CVE-2008-1389?
> >
> > That was in clamav 0.94.  The patch is svn commit 3749 from upstream.
> >
> > I think that's on the list of ones we're looking at in Ubuntu to patch our 
> > 0.92.1 packages.  I haven't looked at Etch myself.
> 
> I think it makes sense to include this change in the current round of
> ClamAV patches.
> 
> Michael, does this sound reasonable?
> 

It does :-) But (as documented in the other sub-thread) this CVE does not apply
to etch(-security), there seems no need to add additional patches at this point.
I've thus attached the full diff between -etch15 and the proposed -etch16
security release. The changelog now contains the CVE-Id for the
maybe-buffer-overflow, but we're still missing any CVE-Id for the JPEG exploit,
there is no mention of that in upstream's bugzilla either (see
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1266).

Best,
Michael


-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 3986550..67ab90d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+clamav (0.90.1dfsg-4etch16) stable-security; urgency=high
+
+  * [CVE-2008-5050]: libclamav/vba_extract.c: possible buffer overflow
+    (Closes: #505134)
+  * libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit()
+    (Closes: #507624)
+
+ -- Stephen Gran <sgran at debian.org>  Tue, 02 Dec 2008 20:36:31 -0800
+
 clamav (0.90.1dfsg-4etch15) stable-security; urgency=low
 
   * [CVE-2008-3912]: libclamav/mbox.c, libclamav/message.c: out-of-memory null
diff --git a/debian/patches/00list b/debian/patches/00list
index f741f85..37b710f 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -23,3 +23,5 @@
 45.mbox.c.CVE-2008-3912.dpatch
 46.fd-leak.CVE-2008-3914.dpatch
 47.manager.c.CVE-2008-3913.dpatch
+48.vba_unicode.c.dpatch
+49.special.c.dpatch
diff --git a/debian/patches/48.vba_unicode.c.dpatch b/debian/patches/48.vba_unicode.c.dpatch
new file mode 100644
index 0000000..f25c5e7
--- /dev/null
+++ b/debian/patches/48.vba_unicode.c.dpatch
@@ -0,0 +1,18 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 48.vba_unicode.c.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: get_unicode_name() off-by-one buffer overflow
+
+ at DPATCH@
+--- a/libclamav/vba_extract.c	2008-11-11 01:25:27.000000000 +0100
++++ b/libclamav/vba_extract.c	2008-11-11 01:26:24.000000000 +0100
+@@ -110,7 +110,7 @@
+                 return NULL;
+         }
+ 
+-        newname = (char *) cli_malloc(size*7);
++        newname = (char *) cli_malloc(size*7+1);
+         if (!newname) {
+                 return NULL;
+         }
diff --git a/debian/patches/49.special.c.dpatch b/debian/patches/49.special.c.dpatch
new file mode 100644
index 0000000..068b61d
--- /dev/null
+++ b/debian/patches/49.special.c.dpatch
@@ -0,0 +1,137 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 48.vba_unicode.c.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: get_unicode_name() off-by-one buffer overflow
+
+ at DPATCH@
+diff --git a/libclamav/others.h b/libclamav/others.h
+index 66cade9..22df93c 100644
+--- a/libclamav/others.h
++++ b/libclamav/others.h
+@@ -80,6 +80,7 @@ typedef struct {
+     const struct cl_engine *engine;
+     const struct cl_limits *limits;
+     unsigned int options;
++    unsigned int recursion;
+     unsigned int arec;
+     unsigned int mrec;
+     struct cli_dconf *dconf;
+diff --git a/libclamav/scanners.c b/libclamav/scanners.c
+index c4d1d8b..1d53fa6 100644
+--- a/libclamav/scanners.c
++++ b/libclamav/scanners.c
+@@ -1451,13 +1451,13 @@ static int cli_scanriff(int desc, const char **virname)
+     return ret;
+ }
+ 
+-static int cli_scanjpeg(int desc, const char **virname)
++static int cli_scanjpeg(int desc, cli_ctx *ctx)
+ {
+ 	int ret = CL_CLEAN;
+ 
+-    if(cli_check_jpeg_exploit(desc) == 1) {
++    if(cli_check_jpeg_exploit(desc, ctx) == 1) {
+ 	ret = CL_VIRUS;
+-	*virname = "Exploit.W32.MS04-028";
++	*ctx->virname = "Exploit.W32.MS04-028";
+     }
+ 
+     return ret;
+@@ -1905,7 +1905,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
+ 
+ 	case CL_TYPE_GRAPHICS:
+ 	    if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG))
+-		ret = cli_scanjpeg(desc, ctx->virname);
++		ret = cli_scanjpeg(desc, ctx);
+ 	    break;
+ 
+ 	case CL_TYPE_PDF:
+diff --git a/libclamav/special.c b/libclamav/special.c
+index 777f103..2179db4 100644
+--- a/libclamav/special.c
++++ b/libclamav/special.c
+@@ -82,7 +82,7 @@ int cli_check_mydoom_log(int desc, const char **virname)
+     return retval;
+ }
+ 
+-static int jpeg_check_photoshop_8bim(int fd)
++static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx)
+ {
+ 	unsigned char bim[5];
+ 	uint16_t id, ntmp;
+@@ -137,7 +137,7 @@ static int jpeg_check_photoshop_8bim(int fd)
+ 	/* Jump past header */
+ 	lseek(fd, 28, SEEK_CUR);
+ 
+-	retval = cli_check_jpeg_exploit(fd);
++	retval = cli_check_jpeg_exploit(fd, ctx);
+ 	if (retval == 1) {
+ 		cli_dbgmsg("Exploit found in thumbnail\n");
+ 	}
+@@ -146,7 +146,7 @@ static int jpeg_check_photoshop_8bim(int fd)
+ 	return retval;
+ }
+ 
+-static int jpeg_check_photoshop(int fd)
++static int jpeg_check_photoshop(int fd, cli_ctx *ctx)
+ {
+ 	int retval;
+ 	unsigned char buffer[14];
+@@ -163,7 +163,7 @@ static int jpeg_check_photoshop(int fd)
+ 	cli_dbgmsg("Found Photoshop segment\n");
+ 	do {
+ 		old = lseek(fd, 0, SEEK_CUR);
+-		retval = jpeg_check_photoshop_8bim(fd);
++		retval = jpeg_check_photoshop_8bim(fd, ctx);
+ 		new = lseek(fd, 0, SEEK_CUR);
+ 		if(new <= old)
+ 			break;
+@@ -175,7 +175,7 @@ static int jpeg_check_photoshop(int fd)
+ 	return retval;
+ }
+ 
+-int cli_check_jpeg_exploit(int fd)
++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx)
+ {
+ 	unsigned char buffer[4];
+ 	off_t offset;
+@@ -183,6 +183,8 @@ int cli_check_jpeg_exploit(int fd)
+ 
+ 
+ 	cli_dbgmsg("in cli_check_jpeg_exploit()\n");
++	if(ctx->recursion > ctx->limits->maxreclevel)
++	    return CL_EMAXREC;
+ 
+ 	if (cli_readn(fd, buffer, 2) != 2) {
+ 		return 0;
+@@ -226,9 +228,11 @@ int cli_check_jpeg_exploit(int fd)
+ 
+ 		if (buffer[1] == 0xed) {
+ 			/* Possible Photoshop file */
+-			if ((retval=jpeg_check_photoshop(fd)) != 0) {
++			ctx->recursion++;
++			retval=jpeg_check_photoshop(fd, ctx);
++			ctx->recursion--;
++			if (retval != 0)
+ 				return retval;
+-			}
+ 		}
+ 
+ 		if (lseek(fd, offset, SEEK_SET) != offset) {
+diff --git a/libclamav/special.h b/libclamav/special.h
+index 69aeeb9..de0d3ad 100644
+--- a/libclamav/special.h
++++ b/libclamav/special.h
+@@ -20,8 +20,10 @@
+ #ifndef __SPECIAL_H
+ #define __SPECIAL_H
+ 
++#include "others.h"
++
+ int cli_check_mydoom_log(int desc, const char **virname);
+-int cli_check_jpeg_exploit(int fd);
++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx);
+ int cli_check_riff_exploit(int fd);
+ 
+ #endif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20081203/c60cec68/attachment-0001.pgp 


More information about the Pkg-clamav-devel mailing list