[Pkg-clamav-devel] Bug#774820: wheezy-pu: clamav/0.98.5+dfsg-0+deb7u3

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Wed Jan 7 23:42:52 UTC 2015 

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org at packages.debian.org
Usertags: pu

Dear release team:

I'd like to update the clamav package in Wheezy with the following change:
|   * add "mspack-fix-division-by-zero-in-chm-format-handling" to fix divide
|     by zero in the chm unpacked. Found & patch by Jakub Wilk (Closes: #774766).
|   * add "mspack-fix-overflow-in-pointer-arithmetic-on-32bit" to avoid overflow
|     in pointer arithmetic causing a segfault on 32bit (Closes: #774767).

There are two equivalent bugs open against libmspack which is Jessie+
only.
Attaching a slightly edited .debdiff (the pointless index changes have
been removed).

Sebastian
-------------- next part --------------
diff -Nru clamav-0.98.5+dfsg/debian/changelog clamav-0.98.5+dfsg/debian/changelog
--- clamav-0.98.5+dfsg/debian/changelog	2015-01-04 00:41:33.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/changelog	2015-01-07 21:59:47.000000000 +0100
@@ -1,3 +1,12 @@
+clamav (0.98.5+dfsg-0+deb7u3) stable; urgency=medium
+
+  * add "mspack-fix-division-by-zero-in-chm-format-handling" to fix divide
+    by zero in the chm unpacked. Found & patch by Jakub Wilk (Closes: #774766).
+  * add "mspack-fix-overflow-in-pointer-arithmetic-on-32bit" to avoid overflow
+    in pointer arithmetic causing a segfault on 32bit (Closes: #774767).
+
+ -- Sebastian Andrzej Siewior <sebastian at breakpoint.cc>  Wed, 07 Jan 2015 21:56:21 +0100
+
 clamav (0.98.5+dfsg-0+deb7u2) stable; urgency=medium
 
   * Add "libmspack-qtmd-fix-frame_end-overflow" to avoid endless-loop on
diff -Nru clamav-0.98.5+dfsg/debian/.git-dpm clamav-0.98.5+dfsg/debian/.git-dpm
--- clamav-0.98.5+dfsg/debian/.git-dpm	2015-01-04 00:41:33.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/.git-dpm	2015-01-07 21:59:47.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-a0449d2079c4ba5822e6567ad7094c10108f16cd
-a0449d2079c4ba5822e6567ad7094c10108f16cd
+1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830
+1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830
 14c3d5ca803fd6baa5ab413e87ca6d6bb2e26a3d
 14c3d5ca803fd6baa5ab413e87ca6d6bb2e26a3d
 clamav_0.98.5+dfsg.orig.tar.xz
diff -Nru clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
--- clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch	1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch	2015-01-07 21:59:48.000000000 +0100
@@ -0,0 +1,30 @@
+From c673c5b4aabdd1d71fe9cc2df67f394e6038404d Mon Sep 17 00:00:00 2001
+From: Jakub Wilk <jwilk at debian.org>
+Date: Wed, 7 Jan 2015 14:05:38 +0100
+Subject: mspack: fix division by zero in chm format handling
+
+Fix division by 0 error found by special crated .chm by AFL.
+
+BTS:
+	https://bugs.debian.org/774725
+	https://bugs.debian.org/774766
+
+[bigeasy: patch description]
+Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+---
+ libclamav/libmspack-0.4alpha/mspack/chmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libclamav/libmspack-0.4alpha/mspack/chmd.c b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+index 19dc47b..005c930 100644
+--- a/libclamav/libmspack-0.4alpha/mspack/chmd.c
++++ b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+@@ -1123,7 +1123,7 @@ static int chmd_init_decomp(struct mschm_decompressor_p *self,
+   }
+ 
+   /* validate reset_interval */
+-  if (reset_interval % LZX_FRAME_SIZE) {
++  if (reset_interval % LZX_FRAME_SIZE || !reset_interval) {
+     D(("bad controldata reset interval"))
+     return self->error = MSPACK_ERR_DATAFORMAT;
+   }
diff -Nru clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
--- clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch	1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch	2015-01-07 21:59:48.000000000 +0100
@@ -0,0 +1,63 @@
+From 1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+Date: Wed, 7 Jan 2015 21:31:36 +0100
+Subject: mspack: fix overflow in pointer arithmetic on 32bit
+
+There are two checks to ensure that the encoded length of the file name does not
+exceed the length of the memory where it is stored. That check is written as
+	p + name_len > end
+
+in general it works. On 32bit architectures it is possible that a large name_len
+overflows and p + name_len is less than p and therefore also less than end and
+the check does not catch it.
+Jakub rewrote the check as
+	name_len > end - p
+
+so name_len is compared against the remaining space in the memory chunk.
+
+Additionally Jakub added a check to chmd_read_headers() to avoid accessing
+name[name_len - 1] if it would overflow.
+
+BTS:
+	https://bugs.debian.org/774726
+	https://bugs.debian.org/774767
+
+[bigeasy: patch description]
+Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+---
+ libclamav/libmspack-0.4alpha/mspack/chmd.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/libclamav/libmspack-0.4alpha/mspack/chmd.c b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+index 005c930..c38ac92 100644
+--- a/libclamav/libmspack-0.4alpha/mspack/chmd.c
++++ b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+@@ -445,7 +445,9 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,
+     num_entries = EndGetI16(end);
+ 
+     while (num_entries--) {
+-      READ_ENCINT(name_len); name = p; p += name_len;
++      READ_ENCINT(name_len);
++      if (name_len > end - p) goto chunk_end;
++      name = p; p += name_len;
+       READ_ENCINT(section);
+       READ_ENCINT(offset);
+       READ_ENCINT(length);
+@@ -746,7 +748,7 @@ static int search_chunk(struct mschmd_header *chm,
+ 	    /* compare filename with entry QR points to */
+ 	    p = &chunk[entries_off + (M ? EndGetI16(start - (M << 1)) : 0)];
+ 	    READ_ENCINT(name_len);
+-	    if (p + name_len > end) goto chunk_end;
++	    if (name_len > end - p) goto chunk_end;
+ 	    cmp = compare(filename, (char *)p, fname_len, name_len);
+ 
+ 	    if (cmp == 0) break;
+@@ -783,7 +785,7 @@ static int search_chunk(struct mschmd_header *chm,
+     *result = NULL;
+     while (num_entries-- > 0) {
+ 	READ_ENCINT(name_len);
+-	if (p + name_len > end) goto chunk_end;
++	if (name_len > end - p) goto chunk_end;
+ 	cmp = compare(filename, (char *)p, fname_len, name_len);
+ 	p += name_len;
+ 
diff -Nru clamav-0.98.5+dfsg/debian/patches/series clamav-0.98.5+dfsg/debian/patches/series
--- clamav-0.98.5+dfsg/debian/patches/series	2015-01-04 00:41:33.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/patches/series	2015-01-07 21:59:48.000000000 +0100
@@ -16,3 +16,5 @@
 0016-Bump-.so-version-number.patch
 0017-llvm-don-t-use-system-libs.patch
 0018-libmspack-qtmd-fix-frame_end-overflow.patch
+0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
+0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch

More information about the Pkg-clamav-devel mailing list