[Pkg-clamav-devel] ClamAV, again

Michael Tautschnig mt at debian.org
Sun Apr 12 06:59:33 UTC 2009 

> Hi all,
> 
> The latest version of ClamAV (0.95.1) fixes several security issues, one of
> which also affects the versions in etch, lenny, and etch-volatile. All the
> others only affect the version currently in unstable, but we're working on
> updating this one anyway.
> 
> The remaining issue is briefly described at
> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1552, seems to be a possibility
> for a DoS. I don't think there is a CVE(-request) yet.
> 
> The patches for oldstable-security, stable-security, and etch-volatile are
> attached. Please let us know whether we should upload or wait for a CVE-Id
> instead.
> 

Attached please find updated versions of the changes for lenny-security and
etch-volatile (the first one finally has the proper distribution, both of them
included a bumped FLEVEL to re-enable signatures).

Best,
Michael

-------------- next part --------------
commit 84fc5e2d98df2c95f4506e81f979c1e1411723b3
Author: Michael Tautschnig <mt at debian.org>
Date:   Sun Apr 12 08:00:28 2009 +0200

    Backported fix for #1552
    
    - also bumped CL_FLEVEL_DCONF to 42 (as in 0.95.1)
    
    Signed-off-by: Michael Tautschnig <mt at debian.org>

diff --git a/configure b/configure
index 5c32986..429e97e 100755
--- a/configure
+++ b/configure
@@ -12427,8 +12427,8 @@ static struct v{
 extern void abort(void);
 
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 int crashtest()
 {
diff --git a/configure.in b/configure.in
index 4a27763..5af6f30 100644
--- a/configure.in
+++ b/configure.in
@@ -185,8 +185,8 @@ static struct v{
 extern void abort(void);
 
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 int crashtest()
 {
diff --git a/debian/changelog b/debian/changelog
index 50974c0..dc69b03 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.94.dfsg.2-1~volatile3) etch-volatile; urgency=low
+
+  * Backported hardening of CLI_ISCONTAINED macros (fixes UPack crash with
+    malformed file, #1552)
+
+ -- Michael Tautschnig <mt at debian.org>  Sun, 12 Apr 2009 07:59:09 +0200
+
 clamav (0.94.dfsg.2-1~volatile2) etch-volatile; urgency=low
 
   [ Scott Kittermann ]
diff --git a/libclamav/others.h b/libclamav/others.h
index c862e22..00a5c04 100644
--- a/libclamav/others.h
+++ b/libclamav/others.h
@@ -42,7 +42,7 @@
  */
 
 #define CL_FLEVEL 38
-#define CL_FLEVEL_DCONF	41
+#define CL_FLEVEL_DCONF	42
 
 extern uint8_t cli_debug_flag, cli_leavetemps_flag;
 
@@ -56,12 +56,12 @@ extern uint8_t cli_debug_flag, cli_leavetemps_flag;
  * The macro can be used to protect against wraps.
  */
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 #define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size >= 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb)
+  ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size)))
 
 #define CLI_MAX_ALLOCATION 184549376
 
-------------- next part --------------
commit 87ed68876a9583c225767b519a0279b805608756
Author: Michael Tautschnig <mt at debian.org>
Date:   Sun Apr 12 08:00:28 2009 +0200

    Backported fix for #1552
    
    - also bumped CL_FLEVEL_DCONF to 42 (as in 0.95.1)
    
    Signed-off-by: Michael Tautschnig <mt at debian.org>

diff --git a/configure b/configure
index 5c32986..429e97e 100755
--- a/configure
+++ b/configure
@@ -12427,8 +12427,8 @@ static struct v{
 extern void abort(void);
 
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 int crashtest()
 {
diff --git a/configure.in b/configure.in
index 4a27763..5af6f30 100644
--- a/configure.in
+++ b/configure.in
@@ -185,8 +185,8 @@ static struct v{
 extern void abort(void);
 
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 int crashtest()
 {
diff --git a/debian/changelog b/debian/changelog
index c9b4fdf..2b83997 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.94.dfsg.2-1lenny2) stable-security; urgency=low
+
+  * Backported hardening of CLI_ISCONTAINED macros (fixes UPack crash with
+    malformed file, #1552)
+
+ -- Michael Tautschnig <mt at debian.org>  Sun, 12 Apr 2009 07:59:09 +0200
+
 clamav (0.94.dfsg.2-1lenny1) stable-security; urgency=low
 
   [ Scott Kittermann ]
diff --git a/libclamav/others.h b/libclamav/others.h
index c862e22..00a5c04 100644
--- a/libclamav/others.h
+++ b/libclamav/others.h
@@ -42,7 +42,7 @@
  */
 
 #define CL_FLEVEL 38
-#define CL_FLEVEL_DCONF	41
+#define CL_FLEVEL_DCONF	42
 
 extern uint8_t cli_debug_flag, cli_leavetemps_flag;
 
@@ -56,12 +56,12 @@ extern uint8_t cli_debug_flag, cli_leavetemps_flag;
  * The macro can be used to protect against wraps.
  */
 #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size > 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb)
+  ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size)))
 
 #define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size)	\
-    (bb_size > 0 && sb_size >= 0 && sb_size <= bb_size	\
-     && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb)
+  ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \
+   && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size)))
 
 #define CLI_MAX_ALLOCATION 184549376
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20090412/b6477b65/attachment-0001.pgp>

More information about the Pkg-clamav-devel mailing list