Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204340 - app-antivirus/clamav Insecure temporary file creation (CVE-2007-6595)
Summary: app-antivirus/clamav Insecure temporary file creation (CVE-2007-6595)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B4 [ebuild / glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-04 22:32 UTC by Robert Buchholz (RETIRED)
Modified: 2008-08-08 17:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 22:32:11 UTC
CVE-2007-6595 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6595):
  ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink
  attack on (1) temporary files in the cli_gentempfd function in
  libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is
  enabled.

CVE-2007-6596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6596):
  ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows remote
  attackers to bypass the scanner via a Base64-UUEncoded file.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 22:36:39 UTC
I am not sure whether CVE-2007-6596 should be considered a security issue or rather a scanner weakness.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 22:49:42 UTC
Rerating B4 for CVE-2007-6595 since (1) is really hard to exploit (as the file name is mostly random 128) and (2) is not a userspace tool. Do we even install it?

Removing the reference to CVE-2007-6596.

Reference:
  http://thread.gmane.org/gmane.comp.security.virus.clamav.user/28138
  http://thread.gmane.org/gmane.comp.security.virus.clamav.user/28166
Comment 3 Andrej Kacian (RETIRED) gentoo-dev 2008-01-05 17:05:11 UTC
Yes, clamav installs sigtool by default. As for cli_gentempfd(), I suggest we wait for upstream. Although a fix (adding O_EXCL) has been suggested, it hasn't been approved by upstream yet.
Comment 4 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2008-02-12 21:27:34 UTC
0.92.1 has been released but its (source) ChangeLog does not reference these CVE's. it does mention CVE-2008-0318 though.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-15 00:01:21 UTC
Fixed in this commit:
http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=%2Ftrunk%2Flibclamav%2Fothers.c&rev=3490&sc=0

Can someone with a fast connection verify that our stable 0.92.1 contains this fix?

In case of GLSA decision, I vote NO.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-03-15 00:07:07 UTC
Oh, and the patch is for (1) only, (2) is still unfixed upstream.
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-04-09 17:13:10 UTC
(In reply to comment #5)
> Fixed in this commit:
> http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=%2Ftrunk%2Flibclamav%2Fothers.c&rev=3490&sc=0
> 
> Can someone with a fast connection verify that our stable 0.92.1 contains this
> fix?
> 

It does in clamav-0.92.1


glsa? -> I vote Yes because contrary to most other symlink attacks, the local attacker can trigger it without the assistance of any user. He simply has to send an email on the box.



> In case of GLSA decision, I vote NO.
> 

Comment 8 svrmarty 2008-04-17 13:17:24 UTC
outdated, see bug #213762
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 15:46:37 UTC
(In reply to comment #8)
> outdated, see bug #213762

Did you verify that CVE-2007-6595 (2) is fixed in 0.93?
Comment 10 martin holzer 2008-04-22 08:14:49 UTC
seems so,

see
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=752
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 16:02:45 UTC
(In reply to comment #10)
> seems so,
> 
> see
> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=752

The last commit I could find to sigtool was in December. The upstream bug is closed, but that does not mean the issue has been taken care of.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 16:57:41 UTC
(In reply to comment #11)
> The last commit I could find to sigtool was in December. The upstream bug is
> closed, but that does not mean the issue has been taken care of.

Ok, the "last" commit I saw was wrong. Still, the issue remains.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-08-03 21:51:31 UTC
Let's add the fixed part of this bug in a GLSA.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-08 17:29:16 UTC
GLSA 200808-07 combining bug 204340 and bug 227351, thanks everyone.