[Pkg-clamav-devel] Etch backported security fixes

Michael Tautschnig mt at debian.org
Tue Nov 11 22:02:44 UTC 2008 

> This one time, at band camp, aCaB said:
> > Hi,
> > Out of two security fixes in 0.94.1 only one applies (off by one in
> > get_unicode_name) the other one affects the screnc handler which has
> > been pretty much rewritten since 0.90.1.
> > 
> > Patch attached.
> 
> That seems pretty straight forward, really :)  Copying the security team
> to get some feedback.
> 
> Security:
> This is 505134.  No CVE as yet, but from the bugtraq message it seems
> pretty clear it will have one.

Attached please find the complete changeset to fix this issue. I'm just about
to build the package, which could get uploaded to security-master whenever you
like.

Best,
Michael

-------------- next part --------------
commit cca61a86f5a94afc8a0e22cad99d7da8702f1366
Author: Michael Tautschnig <mt at debian.org>
Date:   Tue Nov 11 22:41:29 2008 +0100

    Dpatchified aCaB's backported fix
    
    - Patch backported from 0.94.1 to fix off-by-one error in vba_extract.c,
      allowing for buffer overflows.
    
    Signed-off-by: Michael Tautschnig <mt at debian.org>

diff --git a/debian/changelog b/debian/changelog
index 3986550..50329c3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.90.1dfsg-4etch16) stable-security; urgency=high
+
+  * libclamav/vba_extract.c: off-by-one error causing possible buffer overflow
+    (Closes: #505134)
+
+ -- Stephen Gran <sgran at debian.org>  Tue, 11 Nov 2008 22:29:12 +0100
+
 clamav (0.90.1dfsg-4etch15) stable-security; urgency=low
 
   * [CVE-2008-3912]: libclamav/mbox.c, libclamav/message.c: out-of-memory null
diff --git a/debian/patches/00list b/debian/patches/00list
index f741f85..27caae2 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -23,3 +23,4 @@
 45.mbox.c.CVE-2008-3912.dpatch
 46.fd-leak.CVE-2008-3914.dpatch
 47.manager.c.CVE-2008-3913.dpatch
+48.vba_unicode.c.dpatch
diff --git a/debian/patches/48.vba_unicode.c.dpatch b/debian/patches/48.vba_unicode.c.dpatch
new file mode 100644
index 0000000..f25c5e7
--- /dev/null
+++ b/debian/patches/48.vba_unicode.c.dpatch
@@ -0,0 +1,18 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 48.vba_unicode.c.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: get_unicode_name() off-by-one buffer overflow
+
+ at DPATCH@
+--- a/libclamav/vba_extract.c	2008-11-11 01:25:27.000000000 +0100
++++ b/libclamav/vba_extract.c	2008-11-11 01:26:24.000000000 +0100
+@@ -110,7 +110,7 @@
+                 return NULL;
+         }
+ 
+-        newname = (char *) cli_malloc(size*7);
++        newname = (char *) cli_malloc(size*7+1);
+         if (!newname) {
+                 return NULL;
+         }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20081111/903a4643/attachment.pgp

More information about the Pkg-clamav-devel mailing list