[Pkg-clamav-devel] ClamAV, again

Michael Tautschnig mt at debian.org
Sun Apr 12 06:13:32 UTC 2009 

Hi all,

The latest version of ClamAV (0.95.1) fixes several security issues, one of
which also affects the versions in etch, lenny, and etch-volatile. All the
others only affect the version currently in unstable, but we're working on
updating this one anyway.

The remaining issue is briefly described at
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1552, seems to be a possibility
for a DoS. I don't think there is a CVE(-request) yet.

The patches for oldstable-security, stable-security, and etch-volatile are
attached. Please let us know whether we should upload or wait for a CVE-Id
instead.

Thanks,
Michael

-------------- next part --------------
commit d14eaf7be8e8e1087ea5dddac2db2e6dddd07dea
Author: Michael Tautschnig <mt at debian.org>
Date:   Sun Apr 12 08:09:44 2009 +0200

    Backported fix for #1552
    
    Signed-off-by: Michael Tautschnig <mt at debian.org>

diff --git a/debian/changelog b/debian/changelog
index 196b5d9..dc1f27a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.90.1dfsg-4etch19) oldstable-security; urgency=low
+
+  * Backported hardening of CLI_ISCONTAINED macros (fixes UPack crash with
+    malformed file, #1552)
+
+ -- Stephen Gran <sgran at debian.org>  Sun, 12 Apr 2009 08:09:20 +0200
+
 clamav (0.90.1dfsg-4etch18) oldstable-security; urgency=low
 
   * [CVE-2008-6680] Fixed division by zero with --detect-broken.
diff --git a/debian/patches/00list b/debian/patches/00list
index 807c9db..349b038 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -27,3 +27,4 @@
 49.special.c.dpatch
 50.pe.c.CVE-2008-6680.dpatch
 51.untar.c.CVE-2009-1270.dpatch
+52.others.h.CVE-XXXX-XXXX.dpatch
diff --git a/debian/patches/52.others.h.CVE-XXXX-XXXX.dpatch b/debian/patches/52.others.h.CVE-XXXX-XXXX.dpatch
new file mode 100644
index 0000000..18eb56b
--- /dev/null
+++ b/debian/patches/52.others.h.CVE-XXXX-XXXX.dpatch
@@ -0,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 52.others.h.CVE-XXXX-XXXX.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: UPack crash with malformed file
+
+ at DPATCH@
+diff --git a/libclamav/others.h b/libclamav/others.h
+index a01a414..7e636a7 100644
+--- a/libclamav/others.h
++++ b/libclamav/others.h
+@@ -41,12 +41,12 @@ extern uint8_t cli_debug_flag;
+  * The macro can be used to protect against wraps.
+  */
+ #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
+-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
+-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
++  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
++   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
+ 
+ #define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size)	\
+-    (bb_size > 0 && sb_size >= 0 && sb_size <= bb_size	\
+-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb)
++  ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
++   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size)))
+ 
+ #define CLI_MAX_ALLOCATION 184549376
+ 
-------------- next part --------------
commit 928357f2f9b38addeec13c175311bc65de8e1421
Author: Michael Tautschnig <mt at debian.org>
Date:   Sun Apr 12 08:00:28 2009 +0200

    Backported fix for #1552
    
    Signed-off-by: Michael Tautschnig <mt at debian.org>

diff --git a/configure b/configure
index 5c32986..429e97e 100755
--- a/configure
+++ b/configure
@@ -12427,8 +12427,8 @@ static struct v{
 extern void abort(void);
 
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 int crashtest()
 {
diff --git a/configure.in b/configure.in
index 4a27763..5af6f30 100644
--- a/configure.in
+++ b/configure.in
@@ -185,8 +185,8 @@ static struct v{
 extern void abort(void);
 
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 int crashtest()
 {
diff --git a/debian/changelog b/debian/changelog
index 50974c0..dc69b03 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.94.dfsg.2-1~volatile3) etch-volatile; urgency=low
+
+  * Backported hardening of CLI_ISCONTAINED macros (fixes UPack crash with
+    malformed file, #1552)
+
+ -- Michael Tautschnig <mt at debian.org>  Sun, 12 Apr 2009 07:59:09 +0200
+
 clamav (0.94.dfsg.2-1~volatile2) etch-volatile; urgency=low
 
   [ Scott Kittermann ]
diff --git a/libclamav/others.h b/libclamav/others.h
index c862e22..29305de 100644
--- a/libclamav/others.h
+++ b/libclamav/others.h
@@ -56,12 +56,12 @@ extern uint8_t cli_debug_flag, cli_leavetemps_flag;
  * The macro can be used to protect against wraps.
  */
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 #define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size >= 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb)
+  ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size)))
 
 #define CLI_MAX_ALLOCATION 184549376
 
-------------- next part --------------
commit 35e8736d73465a659025933726b330ffd62b273d
Author: Michael Tautschnig <mt at debian.org>
Date:   Sun Apr 12 08:00:28 2009 +0200

    Backported fix for #1552
    
    Signed-off-by: Michael Tautschnig <mt at debian.org>

diff --git a/configure b/configure
index 5c32986..429e97e 100755
--- a/configure
+++ b/configure
@@ -12427,8 +12427,8 @@ static struct v{
 extern void abort(void);
 
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 int crashtest()
 {
diff --git a/configure.in b/configure.in
index 4a27763..5af6f30 100644
--- a/configure.in
+++ b/configure.in
@@ -185,8 +185,8 @@ static struct v{
 extern void abort(void);
 
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 int crashtest()
 {
diff --git a/debian/changelog b/debian/changelog
index 6a59e74..b647554 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.94.dfsg.2-1lenny2) unstable; urgency=low
+
+  * Backported hardening of CLI_ISCONTAINED macros (fixes UPack crash with
+    malformed file, #1552)
+
+ -- Michael Tautschnig <mt at debian.org>  Sun, 12 Apr 2009 07:59:09 +0200
+
 clamav (0.94.dfsg.2-1lenny1) unstable; urgency=low
 
   [ Scott Kittermann ]
diff --git a/libclamav/others.h b/libclamav/others.h
index c862e22..29305de 100644
--- a/libclamav/others.h
+++ b/libclamav/others.h
@@ -56,12 +56,12 @@ extern uint8_t cli_debug_flag, cli_leavetemps_flag;
  * The macro can be used to protect against wraps.
  */
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 #define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size >= 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb)
+  ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size)))
 
 #define CLI_MAX_ALLOCATION 184549376
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20090412/b6257a0b/attachment.pgp>

More information about the Pkg-clamav-devel mailing list