[Pkg-clamav-devel] ClamAV: Security fixes for oldstable and stable

Michael Tautschnig mt at debian.org
Fri Apr 10 14:05:47 UTC 2009


Dear Security Team,

It has been brought to our attention that clamav < 0.95 is vulnerable to DoS
attacks via properly crafted input files. The version currently sitting in
unstable (0.95) already includes the fixes to those issues. We have now
backported the necessary changes to both the version currently shipped in lenny
and the version still available in etch.

The attached patches contain the necessary changes. The version targeted at
stable-security also contains a patch that allows us to selectively enable
signatures that upstream has deliberatly disabled when used with possibly
vulnerable versions (the CL_FLEVEL_DCONF stuff).

The diffs for both versions are attached. Packages are built and ready to be
uploaded at any time.

Best,
Michael


-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index cbd57a6..196b5d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.90.1dfsg-4etch18) oldstable-security; urgency=low
+
+  * [CVE-2008-6680] Fixed division by zero with --detect-broken.
+  * [CVE-2009-1270] clamd and clamscan get hung up.
+
+ -- Stephen Gran <sgran at debian.org>  Fri, 10 Apr 2009 15:33:51 +0200
+ 
 clamav (0.90.1dfsg-4etch17) stable-security; urgency=low
 
   * Corrected error in previous patch for CVE-2008-3914 (thanks Leonel Nunez)
diff --git a/debian/patches/00list b/debian/patches/00list
index 37b710f..807c9db 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -25,3 +25,5 @@
 47.manager.c.CVE-2008-3913.dpatch
 48.vba_unicode.c.dpatch
 49.special.c.dpatch
+50.pe.c.CVE-2008-6680.dpatch
+51.untar.c.CVE-2009-1270.dpatch
diff --git a/debian/patches/50.pe.c.CVE-2008-6680.dpatch b/debian/patches/50.pe.c.CVE-2008-6680.dpatch
new file mode 100644
index 0000000..98cf75a
--- /dev/null
+++ b/debian/patches/50.pe.c.CVE-2008-6680.dpatch
@@ -0,0 +1,20 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 50.pe.c.CVE-2008-6680.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: division by zero fix
+
+ at DPATCH@
+diff --git a/libclamav/pe.c b/libclamav/pe.c
+index b61cab2..18d5c71 100644
+--- a/libclamav/pe.c
++++ b/libclamav/pe.c
+@@ -679,7 +679,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
+ 
+ 	cli_dbgmsg("------------------------------------\n");
+ 
+-	if (DETECT_BROKEN && EC32(section_hdr[i].VirtualAddress)%valign) { /* Bad virtual alignment */
++	if (DETECT_BROKEN && (!valign || EC32(section_hdr[i].VirtualAddress)%valign)) { /* Bad virtual alignment */
+ 	    cli_dbgmsg("VirtualAddress is misaligned\n");
+ 	    if(ctx->virname)
+ 	        *ctx->virname = "Broken.Executable";
diff --git a/debian/patches/51.untar.c.CVE-2009-1270.dpatch b/debian/patches/51.untar.c.CVE-2009-1270.dpatch
new file mode 100644
index 0000000..9d3c9ef
--- /dev/null
+++ b/debian/patches/51.untar.c.CVE-2009-1270.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 51.untar.c.CVE-2009-1270.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: clamd and clamscan hang up fix
+
+ at DPATCH@
+diff --git a/libclamav/untar.c b/libclamav/untar.c
+index 6d0257c..a4225b8 100644
+--- a/libclamav/untar.c
++++ b/libclamav/untar.c
+@@ -182,6 +182,10 @@ cli_untar(const char *dir, int desc, unsigned int posix, const struct cl_limits
+ 			if(skipEntry) {
+ 				const int nskip = (size % BLOCKSIZE || !size) ? size + BLOCKSIZE - (size % BLOCKSIZE) : size;
+ 
++        if(nskip < 0) {
++          cli_dbgmsg("cli_untar: got nagative skip size, giving up\n");
++          return CL_CLEAN;
++        }
+ 				cli_dbgmsg("cli_untar: skipping entry\n");
+ 				lseek(desc, nskip, SEEK_CUR);
+ 				continue;
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 5eab62f..6a59e74 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+clamav (0.94.dfsg.2-1lenny1) unstable; urgency=low
+
+  [ Scott Kittermann ]
+  * Backported change from 0.95 of FLEVEL_DCONF to be able to re-enable
+    signatures when security issues have been fixed.
+  * Security issues addressed in this release (closes: #523016, 522744):
+    - [CVE-2008-6680] Fixed division by zero with --detect-broken.
+    - [CVE-2009-1270] clamd and clamscan get hung up.
+
+ -- Michael Tautschnig <mt at debian.org>  Thu, 09 Apr 2009 22:05:21 +0200
+
 clamav (0.94.dfsg.2-1) unstable; urgency=low
 
   [ Stephen Gran ]
diff --git a/libclamav/dconf.c b/libclamav/dconf.c
index 3267cf7..f67d6b4 100644
--- a/libclamav/dconf.c
+++ b/libclamav/dconf.c
@@ -241,7 +241,7 @@ static int chkflevel(const char *entry, int field)
 	    return 0;
 	}
 
-	if((unsigned int) atoi(pt) > cl_retflevel()) {
+	if((unsigned int) atoi(pt) > CL_FLEVEL_DCONF) {
 	    free(pt);
 	    return 0;
 	}
@@ -254,7 +254,7 @@ static int chkflevel(const char *entry, int field)
 		return 0;
 	    }
 
-	    if((unsigned int) atoi(pt) < cl_retflevel()) {
+	    if((unsigned int) atoi(pt) < CL_FLEVEL_DCONF) {
 		free(pt);
 		return 0;
 	    }
diff --git a/libclamav/others.c b/libclamav/others.c
index 54784f4..a0418cc 100644
--- a/libclamav/others.c
+++ b/libclamav/others.c
@@ -90,8 +90,6 @@ static pthread_mutex_t cli_ctime_mutex = PTHREAD_MUTEX_INITIALIZER;
 #define       P_tmpdir        "C:\\WINDOWS\\TEMP"
 #endif
 
-#define CL_FLEVEL 38 /* don't touch it */
-
 uint8_t cli_debug_flag = 0, cli_leavetemps_flag = 0;
 
 #ifndef CLI_MEMFUNSONLY
diff --git a/libclamav/others.h b/libclamav/others.h
index b98dd9b..c862e22 100644
--- a/libclamav/others.h
+++ b/libclamav/others.h
@@ -32,6 +32,18 @@
 #include "clamav.h"
 #include "dconf.h"
 
+/*
+ * CL_FLEVEL is the signature f-level specific to the current code and
+ *	     should never be modified
+ * CL_FLEVEL_DCONF is used in the dconf module and can be bumped by
+ * distribution packagers provided they fix *all* security issues found
+ * in the old versions of ClamAV. Updating CL_FLEVEL_DCONF will result
+ * in re-enabling affected modules.
+ */
+
+#define CL_FLEVEL 38
+#define CL_FLEVEL_DCONF	41
+
 extern uint8_t cli_debug_flag, cli_leavetemps_flag;
 
 /*
diff --git a/libclamav/pe.c b/libclamav/pe.c
index bc5f1ce..9ae0330 100644
--- a/libclamav/pe.c
+++ b/libclamav/pe.c
@@ -791,7 +791,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 
 	cli_dbgmsg("------------------------------------\n");
 
-	if (DETECT_BROKEN && (exe_sections[i].urva % valign)) { /* Bad virtual alignment */
+	if (DETECT_BROKEN && (!valign || (exe_sections[i].urva % valign))) { /* Bad virtual alignment */
 	    cli_dbgmsg("VirtualAddress is misaligned\n");
 	    if(ctx->virname)
 	        *ctx->virname = "Broken.Executable";
diff --git a/libclamav/untar.c b/libclamav/untar.c
index 94ee2a6..cc8dddf 100644
--- a/libclamav/untar.c
+++ b/libclamav/untar.c
@@ -172,7 +172,11 @@ cli_untar(const char *dir, int desc, unsigned int posix, cli_ctx *ctx)
 
 			if(skipEntry) {
 				const int nskip = (size % BLOCKSIZE || !size) ? size + BLOCKSIZE - (size % BLOCKSIZE) : size;
-
+				
+				if(nskip < 0) {
+					cli_dbgmsg("cli_untar: got nagative skip size, giving up\n");
+					return CL_CLEAN;
+				}
 				cli_dbgmsg("cli_untar: skipping entry\n");
 				lseek(desc, nskip, SEEK_CUR);
 				continue;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20090410/11035212/attachment.pgp>


More information about the Pkg-clamav-devel mailing list