Bug 202762 - app-antivirus/clamav < 0.91.2-r1 Multiple vulnerabilities (CVE-2007-{6335,6336,6337})
Bug#: 202762 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634
Summary: app-antivirus/clamav < 0.91.2-r1 Multiple vulnerabilities (CVE-2007-{6335,6336,6337})
Keywords:  
Status Whiteboard: B1 [glsa]
Opened: 2007-12-19 10:20 0000
Description:   Opened: 2007-12-19 10:20 0000 
iDefense:

Remote exploitation of an integer overflow vulnerability in Clam AntiVirus'
ClamAV, as included in various vendors' operating system distributions, allows
attackers to execute arbitrary code with the privileges of the affected
process.

The vulnerability exists within the code responsible for parsing PE files
packed with the MEW packer. During unpacking, two untrusted values are taken
directly from the file without being validated. These values are later used in
an arithmetic operation to calculate the size used to allocate a heap buffer.
This calculation can overflow, resulting in a buffer of insufficient size being
allocated. This later leads to arbitrary areas of memory being overwritten with
attacker supplied data.

------- Comment #1 From Robert Buchholz 2007-12-19 10:23:38 0000 ------- 
Andrej, is 0.92 ready for stabling?

------- Comment #2 From Stefan Behte 2007-12-19 19:48:29 0000 ------- 
Portage 2.1.3.19 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0,
2.6.23-gentoo-r1 i686)
=================================================================
System uname: 2.6.23-gentoo-r1 i686 AMD Athlon(tm) XP 2400+
Timestamp of tree: Wed, 19 Dec 2007 18:30:01 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.3.5-r3, 2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-Os -march=athlon-xp -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/lib/fax /usr/share/X11/xkb /usr/share/config
/var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-Os -march=athlon-xp -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans
userfetch"
GENTOO_MIRRORS="ftp://192.168.0.2:66/ http://gentoo.intergenia.de/
ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/
ftp://ftp.tu-clausthal.de/pub/linux/gentoo/
ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo/
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo/
ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/
ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acl acpi aiglx alsa amr apache2 arts asf berkdb
bitmap-fonts bzip2 bzlib cairo cdb cdparanoia cdr cli cracklib crypt css cups
curl dbus dga directfb divx4linux dri dts dv dvd dvdr dvdread eds emboss encode
ethereal evo extrafilters fbcon ffmpeg firefox flac fortran ftp gcj gdbm gif
gpm gstreamer gtk gtk2 hal iconv icq imagemagick isdnlog java jikes jpeg
kerberos lame lzo mad midi mikmod mime mjpeg mmx mmxext motif mp3 mpeg mtrr
mudflap musepack ncurses network nls nptl nptlonly nsplugin nvidia ogg
oggvorbis opengl openmp oss pam pcre pdf perl png pppd print python qt3
qt3support qt4 quicktime readline real reflection samba sdl session snmp
sockets spell spl sse ssl svg svga tcpd theora threads tiff truetype
truetype-fonts type1-fonts unicode usb userlocales vcd vorbis win32codecs x264
x86 xine xinerama xml xorg xprint xv xvid xvmc zlib" ALSA_CARDS="ali5451
als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370
ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident
usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy
dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear
meter mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm
authn_default authn_file authz_dbm authz_default authz_groupfile authz_host
authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir
disk_cache env expires ext_filter file_cache filter headers include info
log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling
status unique_id userdir usertrack vhost_alias" ELIBC="glibc"
INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz
cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de"
USERLAND="GNU" VIDEO_CARDS="nv nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY

0.92 works fine here.

------- Comment #3 From Robert Buchholz 2007-12-19 23:18:18 0000 ------- 
Created an attachment (id=138927) [details]
clamav-0.91.2-CVE-2007-5759.patch

------- Comment #4 From Robert Buchholz 2007-12-19 23:18:33 0000 ------- 
Created an attachment (id=138929) [details]
clamav-0.91.2-CVE-2007-6336.patch

------- Comment #5 From Robert Buchholz 2007-12-19 23:18:47 0000 ------- 
Created an attachment (id=138930) [details]
clamav-0.91.2-CVE-2007-6337.patch

------- Comment #6 From Robert Buchholz 2007-12-19 23:29:41 0000 ------- 
There were further vulnerabilities fixed in this release:

CVE-2007-6336:
    It was discovered that on off-by-one in the MS-ZIP decompression
    code may lead to the execution of arbitrary code.

CVE-2007-6337:
    fix bzlib bug (aCaB)   ???
    I am not sure about the contents of this yet.

<Ticho> well, both klamav and Mail::ClamAV use some clamav internal functions
which shouldn't really be used outside of clamav, and those changed in this
release

Ticho, can you please bump 0.91.2 with the attached patches? Thanks.

------- Comment #7 From Andrej Kacian (RETIRED) 2007-12-20 00:31:18 0000 ------- 
0.91.2-r1 committed, with these patches applied. Thanks!

------- Comment #8 From Robert Buchholz 2007-12-20 00:33:48 0000 ------- 
Arches, please test and mark stable app-antivirus/clamav-0.91.2-r1.
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

------- Comment #9 From Brent Baude 2007-12-20 01:36:23 0000 ------- 
ppc and ppc64 stable

------- Comment #10 From Markus Meier 2007-12-20 13:20:43 0000 ------- 
x86 stable

------- Comment #11 From Ferris McCormick 2007-12-20 13:49:32 0000 ------- 
Stable for sparc.

------- Comment #12 From Jeroen Roovers 2007-12-20 14:52:23 0000 ------- 
Stable for HPPA.

------- Comment #13 From Raúl Porcel 2007-12-20 16:00:52 0000 ------- 
alpha/ia64 stable

------- Comment #14 From Peter Weller 2007-12-26 15:52:20 0000 ------- 
amd64 stable

------- Comment #15 From Tobias Heinlein 2007-12-26 16:19:25 0000 ------- 
All arches done, GLSA request filed.

------- Comment #16 From Robert Buchholz 2007-12-29 16:07:07 0000 ------- 
GLSA 200712-20, thanks everyone.

------- Comment #17 From Peter Volkov 2008-03-06 10:00:28 0000 ------- 
Does not affect current (2008.0) release. Removing release.