202762 2007-12-19 10:20 0000 app-antivirus/clamav < 0.91.2-r1 Multiple vulnerabilities (CVE-2007-{6335,6336,6337}) 2008-03-06 10:00:28 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634 B1 [glsa] P2 major --- 1 rbu@gentoo.org security@gentoo.org antivirus@gentoo.org chainsaw@gentoo.org net-mail@gentoo.org rbu@gentoo.org 2007-12-19 10:20:33 0000 iDefense: Remote exploitation of an integer overflow vulnerability in Clam AntiVirus' ClamAV, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process. The vulnerability exists within the code responsible for parsing PE files packed with the MEW packer. During unpacking, two untrusted values are taken directly from the file without being validated. These values are later used in an arithmetic operation to calculate the size used to allocate a heap buffer. This calculation can overflow, resulting in a buffer of insufficient size being allocated. This later leads to arbitrary areas of memory being overwritten with attacker supplied data. rbu@gentoo.org 2007-12-19 10:23:38 0000 Andrej, is 0.92 ready for stabling? craig@gentoo.org 2007-12-19 19:48:29 0000 Portage 2.1.3.19 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r1 i686) ================================================================= System uname: 2.6.23-gentoo-r1 i686 AMD Athlon(tm) XP 2400+ Timestamp of tree: Wed, 19 Dec 2007 18:30:01 +0000 app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.3.5-r3, 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/fax /usr/share/X11/xkb /usr/share/config /var/spool/fax/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-Os -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://192.168.0.2:66/ http://gentoo.intergenia.de/ ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo/ ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acl acpi aiglx alsa amr apache2 arts asf berkdb bitmap-fonts bzip2 bzlib cairo cdb cdparanoia cdr cli cracklib crypt css cups curl dbus dga directfb divx4linux dri dts dv dvd dvdr dvdread eds emboss encode ethereal evo extrafilters fbcon ffmpeg firefox flac fortran ftp gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv icq imagemagick isdnlog java jikes jpeg kerberos lame lzo mad midi mikmod mime mjpeg mmx mmxext motif mp3 mpeg mtrr mudflap musepack ncurses network nls nptl nptlonly nsplugin nvidia ogg oggvorbis opengl openmp oss pam pcre pdf perl png pppd print python qt3 qt3support qt4 quicktime readline real reflection samba sdl session snmp sockets spell spl sse ssl svg svga tcpd theora threads tiff truetype truetype-fonts type1-fonts unicode usb userlocales vcd vorbis win32codecs x264 x86 xine xinerama xml xorg xprint xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="nv nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY 0.92 works fine here. rbu@gentoo.org 2007-12-19 23:18:18 0000 Created an attachment (id=138927) clamav-0.91.2-CVE-2007-5759.patch rbu@gentoo.org 2007-12-19 23:18:33 0000 Created an attachment (id=138929) clamav-0.91.2-CVE-2007-6336.patch rbu@gentoo.org 2007-12-19 23:18:47 0000 Created an attachment (id=138930) clamav-0.91.2-CVE-2007-6337.patch rbu@gentoo.org 2007-12-19 23:29:41 0000 There were further vulnerabilities fixed in this release: CVE-2007-6336: It was discovered that on off-by-one in the MS-ZIP decompression code may lead to the execution of arbitrary code. CVE-2007-6337: fix bzlib bug (aCaB) ??? I am not sure about the contents of this yet. <Ticho> well, both klamav and Mail::ClamAV use some clamav internal functions which shouldn't really be used outside of clamav, and those changed in this release Ticho, can you please bump 0.91.2 with the attached patches? Thanks. ticho@gentoo.org 2007-12-20 00:31:18 0000 0.91.2-r1 committed, with these patches applied. Thanks! rbu@gentoo.org 2007-12-20 00:33:48 0000 Arches, please test and mark stable app-antivirus/clamav-0.91.2-r1. Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" ranger@gentoo.org 2007-12-20 01:36:23 0000 ppc and ppc64 stable maekke@gentoo.org 2007-12-20 13:20:43 0000 x86 stable fmccor@gentoo.org 2007-12-20 13:49:32 0000 Stable for sparc. jer@gentoo.org 2007-12-20 14:52:23 0000 Stable for HPPA. armin76@gentoo.org 2007-12-20 16:00:52 0000 alpha/ia64 stable welp@gentoo.org 2007-12-26 15:52:20 0000 amd64 stable keytoaster@gentoo.org 2007-12-26 16:19:25 0000 All arches done, GLSA request filed. rbu@gentoo.org 2007-12-29 16:07:07 0000 GLSA 200712-20, thanks everyone. pva@gentoo.org 2008-03-06 10:00:28 0000 Does not affect current (2008.0) release. Removing release. 138927 2007-12-19 23:18 0000 clamav-0.91.2-CVE-2007-5759.patch clamav-0.91.2-CVE-2007-5759.patch text/plain VGh1IERlYyAgNiAxNToyMjoyNyBDRVQgMjAwNyAodGspCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLQogICogbGliY2xhbWF2L3BlLmM6IGZpeCBwb3NzaWJsZSBpbnRlZ2VyIG92ZXJm bG93IGluIE1FVyByZWxhdGVkIGNvZGUKICAgICAgICAgICAgICAgICAgICBSZXBvcnRlZCBieSBp RGVmZW5zZSBbSURFRjI4NDJdCgogICAgQmFja3BvcnRlZCBieSA8c2dyYW5AZGViaWFuLm9yZz4K CiAgICBTVk4gcjMzNzYKCkluZGV4OiBjbGFtYXYtMC45MS4yL2xpYmNsYW1hdi9wZS5jCj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0KLS0tIGNsYW1hdi0wLjkxLjIub3JpZy9saWJjbGFtYXYvcGUuYworKysgY2xhbWF2LTAu OTEuMi9saWJjbGFtYXYvcGUuYwpAQCAtODAsNiArODAsMTggQEAKICNkZWZpbmUgUEVBTElHTihv LGEpICgoKGEpKT8oKChvKS8oYSkpKihhKSk6KG8pKQogI2RlZmluZSBQRVNBTElHTihvLGEpICgo KGEpKT8oKChvKS8oYSkrKChvKSUoYSkhPTApKSooYSkpOihvKSkKIAorI2RlZmluZSBDTElfVU5Q U0laRUxJTUlUUyhOQU1FLENISykgXAoraWYoY3R4LT5saW1pdHMgJiYgY3R4LT5saW1pdHMtPm1h eGZpbGVzaXplICYmIChDSEspID4gY3R4LT5saW1pdHMtPm1heGZpbGVzaXplKSB7IFwKKyAgICBj bGlfZGJnbXNnKE5BTUUiOiBTaXplcyBleGNlZWRlZCAoJWx1ID4gJWx1KVxuIiwgKENISyksIGN0 eC0+bGltaXRzLT5tYXhmaWxlc2l6ZSk7IFwKKyAgICBmcmVlKGV4ZV9zZWN0aW9ucyk7IFwKKyAg ICBpZihCTE9DS01BWCkgeyBcCisgICAgICAgICpjdHgtPnZpcm5hbWUgPSAiUEUuIk5BTUUiLkV4 Y2VlZGVkRmlsZVNpemUiOyBcCisgICAgICAgIHJldHVybiBDTF9WSVJVUzsgXAorICAgIH0gZWxz ZSB7IFwKKyAgICAgICAgcmV0dXJuIENMX0NMRUFOOyBcCisgICAgfSBcCit9CisKIGV4dGVybiBz aG9ydCBjbGlfbGVhdmV0ZW1wc19mbGFnOwogCiBzdHJ1Y3Qgb2Zmc2V0X2xpc3QgewpAQCAtMTE1 MywxNiArMTE2NSw5IEBAIGludCBjbGlfc2NhbnBlKGludCBkZXNjLCBjbGlfY3R4ICpjdHgpCiAJ CWRzaXplID0gZXhlX3NlY3Rpb25zW2ldLnZzejsKIAogCQljbGlfZGJnbXNnKCJNRVc6IHNzaXpl ICUwOHggZHNpemUgJTA4eCBvZmZkaWZmOiAlMDh4XG4iLCBzc2l6ZSwgZHNpemUsIG9mZmRpZmYp OwotCQlpZihjdHgtPmxpbWl0cyAmJiBjdHgtPmxpbWl0cy0+bWF4ZmlsZXNpemUgJiYgKHNzaXpl ICsgZHNpemUgPiBjdHgtPmxpbWl0cy0+bWF4ZmlsZXNpemUgfHwgZXhlX3NlY3Rpb25zW2kgKyAx XS5yc3ogPiBjdHgtPmxpbWl0cy0+bWF4ZmlsZXNpemUpKSB7Ci0JCSAgICBjbGlfZGJnbXNnKCJN RVc6IFNpemVzIGV4Y2VlZGVkIChzc2l6ZTogJXUsIGRzaXplOiAldSwgbWF4OiAlbHUpXG4iLCBz c2l6ZSwgZHNpemUgLCBjdHgtPmxpbWl0cy0+bWF4ZmlsZXNpemUpOwotCQkgICAgZnJlZShleGVf c2VjdGlvbnMpOwotCQkgICAgaWYoQkxPQ0tNQVgpIHsKLQkJCSpjdHgtPnZpcm5hbWUgPSAiUEUu TUVXLkV4Y2VlZGVkRmlsZVNpemUiOwotCQkJcmV0dXJuIENMX1ZJUlVTOwotCQkgICAgfSBlbHNl IHsKLQkJCXJldHVybiBDTF9DTEVBTjsKLQkJICAgIH0KLQkJfQorCisJCUNMSV9VTlBTSVpFTElN SVRTKCJNRVciLCBNQVgoc3NpemUsIGRzaXplKSk7CisJCUNMSV9VTlBTSVpFTElNSVRTKCJNRVci LCBNQVgoc3NpemUgKyBkc2l6ZSwgZXhlX3NlY3Rpb25zW2kgKyAxXS5yc3opKTsKIAogCQkvKiBh bGxvY2F0ZSBuZWVkZWQgYnVmZmVyICovCiAJCWlmICghKHNyYyA9IGNsaV9jYWxsb2MgKHNzaXpl ICsgZHNpemUsIHNpemVvZihjaGFyKSkpKSB7Cg== 138929 2007-12-19 23:18 0000 clamav-0.91.2-CVE-2007-6336.patch clamav-0.91.2-CVE-2007-6336.patch text/plain VGh1IERlYyAgNiAxNToxNTo0NSBDRVQgMjAwNyAodGspCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLQogICogbGliY2xhbWF2L21zcGFjay5jOiBmaXggb2ZmLWJ5LW9uZSBlcnJvciBp biBMWlhfUkVBRF9IVUZGU1lNKCkgKGJiIzY2MykKCiAgICAgaHR0cHM6Ly93d3dzLmNsYW1hdi5u ZXQvYnVnemlsbGEvc2hvd19idWcuY2dpP2lkPTY2MwoKICAgICBTVk4gcjMzNzQKCkluZGV4OiBj bGFtYXYtMC45MS4yL2xpYmNsYW1hdi9tc3BhY2suYwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBjbGFtYXYtMC45 MS4yLm9yaWcvbGliY2xhbWF2L21zcGFjay5jCisrKyBjbGFtYXYtMC45MS4yL2xpYmNsYW1hdi9t c3BhY2suYwpAQCAtNzM0LDcgKzczNCw3IEBAIHZvaWQgbXN6aXBfZnJlZShzdHJ1Y3QgbXN6aXBf c3RyZWFtICp6aXAKIAogI2RlZmluZSBMWlhfRU5TVVJFX0JJVFMobmJpdHMpICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgd2hpbGUgKGJpdHNfbGVmdCA8 IChuYml0cykpIHsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKLSAg ICBpZiAoaV9wdHIgPj0gaV9lbmQpIHsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIFwKKyAgICBpZiAoaV9wdHIgKyAxID49IGlfZW5kKSB7ICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICAgICBpZiAobHp4X3JlYWRf aW5wdXQobHp4KSkgcmV0dXJuIGx6eC0+ZXJyb3I7ICAgICAgICAgICAgICAgICAgICAgIFwKICAg ICAgIGlfcHRyID0gbHp4LT5pX3B0cjsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIFwKICAgICAgIGlfZW5kID0gbHp4LT5pX2VuZDsgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwK 138930 2007-12-19 23:18 0000 clamav-0.91.2-CVE-2007-6337.patch clamav-0.91.2-CVE-2007-6337.patch text/plain TW9uIERlYyAxMCAxNTo1NDoyMCBDRVQgMjAwNyAodGspCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLQogICogbGliY2xhbWF2L25zaXMvYnpsaWJfcHJpdmF0ZS5oOiBmaXggYnpsaWIg YnVnIChhQ2FCKQoKICAgIFNWTiByMzM4NwoKSW5kZXg6IGNsYW1hdi0wLjkxLjIvbGliY2xhbWF2 L25zaXMvYnpsaWJfcHJpdmF0ZS5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGNsYW1hdi0wLjkxLjIub3JpZy9s aWJjbGFtYXYvbnNpcy9iemxpYl9wcml2YXRlLmgKKysrIGNsYW1hdi0wLjkxLjIvbGliY2xhbWF2 L25zaXMvYnpsaWJfcHJpdmF0ZS5oCkBAIC00MjIsMTEgKzQyMiwxMyBAQCB0eXBlZGVmCiAvKi0t IE1hY3JvcyBmb3IgZGVjb21wcmVzc2lvbi4gLS0qLwogCiAjZGVmaW5lIEJaX0dFVF9GQVNUKGNj Y2MpICAgICAgICAgICAgICAgICAgICAgXAorICAgIGlmIChzLT50UG9zID49IHMtPmJsb2NrU2l6 ZTEwMGsgKiAxMDAwMDApIHJldHVybiBUcnVlOyBcCiAgICAgcy0+dFBvcyA9IHMtPnR0W3MtPnRQ b3NdOyAgICAgICAgICAgICAgICAgXAogICAgIGNjY2MgPSAoVUNoYXIpKHMtPnRQb3MgJiAweGZm KTsgICAgICAgICAgIFwKICAgICBzLT50UG9zID4+PSA4OwogCiAjZGVmaW5lIEJaX0dFVF9GQVNU X0MoY2NjYykgICAgICAgICAgICAgICAgICAgXAorICAgIGlmIChjX3RQb3MgPj0gcy0+YmxvY2tT aXplMTAwayAqIDEwMDAwMCkgcmV0dXJuIFRydWU7IFwKICAgICBjX3RQb3MgPSBjX3R0W2NfdFBv c107ICAgICAgICAgICAgICAgICAgICBcCiAgICAgY2NjYyA9IChVQ2hhcikoY190UG9zICYgMHhm Zik7ICAgICAgICAgICAgXAogICAgIGNfdFBvcyA+Pj0gODsK