[Pkg-clamav-devel] Bug#778406: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Sat Feb 14 21:28:09 UTC 2015
On Sat, Feb 14, 2015 at 03:37:44PM +0100, Luciano Bello wrote:
> Please, can you confirm if the binary packages are affected?
Yes, the code could be patched. In order to exploit it (or chrash it) the
attacker should have full control over the pattern. Now lets see
- clamav-milter: the admin specifies whitelists, no remote
- phishcheck.c: static, no remote
- readdb.c: reads virus databases. .zmd, .rmd, .cdb databases can feed part of
the file into the function in question. .wdb, .pdb as well (phishing db).
- sigtool.c: for manually creating signatures
- command line arguments :)
> Are stable and
> testing affected?
They are affected in terms that the patch can be applied. The only way this
could be triggered by a non-admin is via a database update (according to my
code grepping the last few minutes). And this means an entry (within the
database) has to contain a regex-pattern and it should be atleast 682 MiB
in size. The public / default databases are edited by the clamav team so I
doubt someone can sneak this in there.
All in all I would say not very applicable and no need for immediate action.
If you or anyone else feels different please let me now. I prepared this
patch [0]. It is the one you pointed out applied on the clamav tree with
minory changes to get it applied.
I will however forward this report to clamav upstream including the patch since
it is probably best to include it in future anyway.
[0] https://anonscm.debian.org/cgit/pkg-clamav/clamav.git/commit/?id=a2344cea2a22089ff0bac16c16e060ebb06425b0
> Cheers, luciano
Sebastian
More information about the Pkg-clamav-devel
mailing list