Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 227351 (CVE-2008-2713) - app-antivirus/clamav < 0.93.3: fix possible invalid memory access (CVE-2008-2713,CVE-2008-3215)
Summary: app-antivirus/clamav < 0.93.3: fix possible invalid memory access (CVE-2008-2...
Status: RESOLVED FIXED
Alias: CVE-2008-2713
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-06-15 23:46 UTC by Hanno Böck
Modified: 2008-08-08 17:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-06-15 23:46:26 UTC
As reported on oss-security, 0.93.1 contains security fixes. CVE is requested.

http://www.openwall.com/lists/oss-security/2008/06/15/2
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 18:41:12 UTC
antivirus/net-mail: 0.93.1 is in the tree, is it ok for stabilisation?
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-20 21:48:21 UTC
(In reply to comment #1)
> antivirus/net-mail: 0.93.1 is in the tree, is it ok for stabilisation?
> 

looks so, #221715 as a tracker for b0rkage caused by 0.93 is to be closed (all blocking issues are fixed). Also i just bumped to 0.93.3  as per #231287.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-20 21:52:09 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > antivirus/net-mail: 0.93.1 is in the tree, is it ok for stabilisation?
> > 
> 
> looks so, #221715 as a tracker for b0rkage caused by 0.93 is to be closed (all
> blocking issues are fixed). Also i just bumped to 0.93.3  as per #231287.
> 

so, which one is the target for stabilization? 0.93.1 or 0.93.3?
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-20 21:56:49 UTC
(In reply to comment #3)
> > looks so, #221715 as a tracker for b0rkage caused by 0.93 is to be closed (all
> > blocking issues are fixed). Also i just bumped to 0.93.3  as per #231287.
> > 
> 
> so, which one is the target for stabilization? 0.93.1 or 0.93.3?

0.93.1 is in the tree for >1 months without relevant bugs reported in that time, 0.93.3 is in the tree for some minutes (same ebuild though) and doesn't include security-relevant fixes (at least none i could find in a changelog). The only reason to opt for 0.93.3 would be to avoid the annoying "clamav-version outdated" warning users will get with 0.93.1. So well, i'm unsure :P 

Let's wait some days to see if 0.93.3 introduced some b0rkage, if not we can mark that one stable - sounds like a plan to me :)
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-07-20 22:53:16 UTC
I just had a look into the ChangeLog: We have to stabilize 0.93.3, 0.93.1 contains only partial fixes.

Mon Jul  7 15:48:48 CEST 2008
-----------------------------
  * 0.93.2

Thu Jul  3 16:15:23 CEST 2008
-----------------------------
  * libclamav/petite.c: fix another out of bounds memory read (bb#1000)
            Reported by Secunia (CVE-2008-2713)

[..]

Wed Jun  4 14:18:12 CEST 2008 (tk)
----------------------------------
  * 0.93.1

Wed Jun  4 14:18:27 CEST 2008 (tk)
----------------------------------
  * libclamav/petite.c: fix possible invalid memory access (bb#1000)
            Reported by Damian Put


The upstream bug reports confirms that: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1000

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-21 05:46:18 UTC
(In reply to comment #5)
> Thu Jul  3 16:15:23 CEST 2008
> -----------------------------
>   * libclamav/petite.c: fix another out of bounds memory read (bb#1000)
>             Reported by Secunia (CVE-2008-2713)
> 
> [..]

It's better to not ask how I missed that :P In that case let's get =app-antivirus/clamav-0.93.3 stable ...
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-07-21 09:07:52 UTC
Arches, please test and mark stable:
=app-antivirus/clamav-0.93.3
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 8 Tony Vroon (RETIRED) gentoo-dev 2008-07-21 11:31:41 UTC
AMD64 stable keyword; tested on hardened Opteron 2218 & Core 2 Duo systems.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2008-07-21 16:37:23 UTC
ppc64 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2008-07-21 18:08:33 UTC
Stable for HPPA.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-07-21 19:54:26 UTC
alpha/ia64/sparc/x86 stable
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-07-22 15:22:02 UTC
CVE-2008-3215 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3215):
  libclamav/petite.c in ClamAV before 0.93.3 allows remote attackers to cause a
  denial of service via a malformed Petite file that triggers an out-of-bounds
  memory access.  NOTE: this issue exists because of an incomplete fix for
  CVE-2008-2713.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-22 16:51:51 UTC
ppc stable
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2008-07-23 00:55:19 UTC
Ready for vote, I vote YES.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-08-03 21:51:00 UTC
glsa vote: YES
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-08 17:29:10 UTC
GLSA 200808-07 combining bug 204340 and bug 227351, thanks everyone.