Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 45357 - clamav (0.68-1/0.70-rc) fixes DoS vulnerability with processing of RAR archives.
Summary: clamav (0.68-1/0.70-rc) fixes DoS vulnerability with processing of RAR archives.
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/11177/
Whiteboard:
Keywords: SECURITY
Depends on:
Blocks:
 
Reported: 2004-03-22 01:37 UTC by Johan Ymerson
Modified: 2004-04-07 11:12 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---
klieber: Pending+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johan Ymerson 2004-03-22 01:37:32 UTC
Certain RAR archives (for example some archives produced by the Bagle virus) can RAR processor of clamav, leading to a denial of service.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 schaedpq 2004-03-23 01:35:47 UTC
The info about this bug from Bugtraq (http://www.securityfocus.com/bid/9897/info/) suggests to update to 0.68, not 0.70rc.
Therefore (since marking an rc as stable in portage is IMHO not a good idea) the security update in the GLSA (if there will be one) should be 0.68, not 0.70rc.
Comment 2 solar (RETIRED) gentoo-dev 2004-03-26 14:54:08 UTC
4 days and pending in critical state.. 

I'll bump this on behalf of the antivirus herd as it seems they are to busy to notice this bug.
Comment 3 solar (RETIRED) gentoo-dev 2004-03-26 15:04:23 UTC
Updateded in portage as clamav-0.68
KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~hppa ~amd64 ~ia64"

Arch maintainers please test and mark stable when ready.
Comment 4 Jon Portnoy (RETIRED) gentoo-dev 2004-03-26 17:27:30 UTC
Stable on AMD64, removing from CC.
Comment 5 Jason Wever (RETIRED) gentoo-dev 2004-03-26 18:03:19 UTC
stable on sparc.
Comment 6 Johan Ymerson 2004-03-27 05:27:40 UTC
Version 0.68 doesn't solve the problem with RAR archives, but disables RAR archive support completely. Version 0.68-1 does solve the problem. Before marking 0.68 as stable, I think we should jump to 0.68-1 instead. Otherwise all Beagle RAR archives will be ignored!
Comment 7 Thomas Raschbacher gentoo-dev 2004-03-29 02:08:30 UTC
i'm using 0.70rc on 3 machines running stable and faster than 0.6x ..
Comment 8 Thomas Raschbacher gentoo-dev 2004-03-29 02:53:47 UTC
0.68.1 in portage (aka 0.68-1) please test and mark stable :)
Comment 9 Jason Wever (RETIRED) gentoo-dev 2004-03-29 08:17:42 UTC
Does someone have an infected rar file we can use for testing?
Comment 10 Jason Wever (RETIRED) gentoo-dev 2004-03-29 10:37:17 UTC
clamav should also probably have a crypt useflag that pulls in gmp as the clamav config script will disable digital certificate support (used to check the validity of the db mirrors) if it is not available or gmp version 2 or above is not installed.
Comment 11 Thomas Raschbacher gentoo-dev 2004-03-29 11:29:35 UTC
1) just try to scan a .rar archive ;)

2) true .. please add a bug for the gmp dep bug or i'll forget it again (planned to do b4 ;)

 (in a hurry now ;)

reagards
Comment 12 Jason Wever (RETIRED) gentoo-dev 2004-03-29 11:46:22 UTC
I don't have any rar archives, so I can't test them.  Providing a test or two for everyone will help expedite this.

Additionally, without the gmp fix it's very hard to ensure people are fully testing clamav before marking it stable, since some people may not be building digitial certificate support if they don't have gmp (which is how i found the dependency).  If you really want a second bug that's fine but it should really be included in 0.68.1 for the GLSA (imo at least).
Comment 13 SpanKY gentoo-dev 2004-03-29 18:47:45 UTC
stable on hppa
Comment 14 Thomas Raschbacher gentoo-dev 2004-03-30 00:47:19 UTC
dep for dev-libs/gmp is in.
i added a dep for the dev-libs/gmp version i compiled it with. ppc,mips,hppa ppl please test dev-libs/gmp too and bump to stable first(maybe the lower version works too but it is marked stable on less archs than the newer one.)
Comment 15 Chris Russell (RETIRED) gentoo-dev 2004-03-30 03:26:49 UTC
I put the eicar test virus in raw, rar'd and layered compressed formats here;
http://dev.gentoo.org/~cjr/testvirus/
Comment 16 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 03:58:45 UTC
need to draft GLSA -- who wants this one?
Comment 17 Thomas Raschbacher gentoo-dev 2004-03-30 04:03:21 UTC
what do u mean 'wants' it?
Comment 18 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 04:20:02 UTC
Just asking one of the security folks to handle writing up the GLSA.  Move along, nothing to see here. :)
Comment 19 Jason Wever (RETIRED) gentoo-dev 2004-03-30 07:24:54 UTC
Thanks for the rar archives Chris :)

With using clamscan on both ~x86 and ~sparc using version 0.68.1 I get the following error scanning the provided rar archive;

eicar-test.rar: RAR module failure

If we want to go ahead with that, let me know and I'll stabilize on sparc.  If not, what's the next course of action?
Comment 20 Aron Griffis (RETIRED) gentoo-dev 2004-03-30 08:30:50 UTC
Marked clamav-0.68.1.ebuild stable on alpha and ia64, removing from cc
Comment 21 Sven Blumenstein (RETIRED) gentoo-dev 2004-03-30 13:23:15 UTC
>> eicar-test.rar: RAR module failure

It should report the virus and not break, right?
Comment 22 Jason Wever (RETIRED) gentoo-dev 2004-03-30 13:33:34 UTC
Correctl, clamscan should be able to see the virus in the RAR and report on it.  However the clamav docs do mention that the rar support is extermely experimental and may not work correctly.  So it seems like the DoS may be fixed but the program is possibly not functioning as desired.
Comment 23 Thomas Raschbacher gentoo-dev 2004-03-31 00:44:28 UTC
i posted this link to clamav-users mailinglist. i hope someone who really knows about this will comment on it.
Comment 24 Chris Russell (RETIRED) gentoo-dev 2004-03-31 02:40:12 UTC
out of curiosity Jason, did it detect the non rar variants ok?
Comment 25 Kurt Lieber (RETIRED) gentoo-dev 2004-03-31 05:07:14 UTC
feel free to disagree with me, but as long as the DoS is fixed (and because it sounds like this problem isn't a severe one that prevents the entire program from working) I'd rather mark this stable now so we can issue the GLSA and inform our users of the vulnerability.

Jason -- thoughts?
Comment 26 Thomas Raschbacher gentoo-dev 2004-03-31 05:19:49 UTC
@klieber: /me aggrees i'd rather have my AV program miss one virus than crash completely
Comment 27 Jason Wever (RETIRED) gentoo-dev 2004-03-31 06:42:45 UTC
I just wanted to make sure people were aware of the fact that the RAR scanning wasn't working,  0.70_rc has the same problem, so it's not unique to 0.68.1 (which is already stable on sparc).  So let the GLSA roll.

Chris:  The regular gzip and bzip2 files as well as the uncompressed .com file were detected correctly as a virus.
Comment 28 Lars Weiler (RETIRED) gentoo-dev 2004-04-02 19:48:50 UTC
The newer version is stable on ppc.
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2004-04-07 08:30:35 UTC
We still need stable on x86 before a GLSA can go out on this one.
-K
Comment 30 Seemant Kulleen (RETIRED) gentoo-dev 2004-04-07 10:23:00 UTC
.68.1 is stabled on x86, sorry for the delay
Comment 31 Kurt Lieber (RETIRED) gentoo-dev 2004-04-07 11:12:13 UTC
GLSA 200404-07