Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 253497 (CVE-2008-5747) - <app-antivirus/f-prot-6.0.1 scanning engine circumvention (CVE-2008-5747)
Summary: <app-antivirus/f-prot-6.0.1 scanning engine circumvention (CVE-2008-5747)
Status: RESOLVED FIXED
Alias: CVE-2008-5747
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-02 23:11 UTC by Stefan Behte (RETIRED)
Modified: 2009-04-14 20:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-01-02 23:11:09 UTC
CVE-2008-5747 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5747):
  F-Prot 4.6.8 for GNU/Linux allows remote attackers to bypass
  anti-virus protection via a crafted ELF program with a "corrupted"
  header that still allows the program to be executed.  NOTE: due to an
  error in the initial disclosure, F-secure was incorrectly stated as
  the vendor.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-02 23:20:08 UTC
from $URL:
"frisk f-prot com
Version 4.6.8 is an old, obsolete version of F-PROT that is no longer supported by the developers.

We no longer release regular virus definition updates for this version, and as far as we know, we have no paying customers of F-PROT 4.6.8 for Linux.

The security issue is not present in the current version."

Antivirus, please update to 6.0.2 (see http://www.f-prot.com/download/home_user/) and remove 4.6.7. This would also fix #233928 and #232665! :)
Comment 2 Fabian Groffen gentoo-dev 2009-04-02 15:42:00 UTC
once the 6.* version goes stable, we can finally remove the 4.x version.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-02 16:36:45 UTC
Arches, please test and mark stable:
=app-antivirus/f-prot-6.0.2
Target keywords : "amd64 x86"
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-02 17:17:32 UTC
This does not fix #233928!

Fabian, the latest versions are:

Linux Workstation 32 bit	6.0.2
Linux Workstation 64 bit	6.0.2
FreeBSD Workstation	6.0.1

But f-prot-6.0.1.ebuild has:
KEYWORDS="~amd64 -sparc ~x86"

Shouldn't it have ~ppc, too?!

CVE-2008-3243 only *seems* to affect Versions <6.0.9.0 on Windows, NIST lists the Windows changelog as CONFIRM for it.



Comment 5 Fabian Groffen gentoo-dev 2009-04-02 17:22:12 UTC
(In reply to comment #4)
> This does not fix #233928!
> 
> Fabian, the latest versions are:
> 
> Linux Workstation 32 bit        6.0.2
> Linux Workstation 64 bit        6.0.2
> FreeBSD Workstation     6.0.1
> 
> But f-prot-6.0.1.ebuild has:
> KEYWORDS="~amd64 -sparc ~x86"
> 
> Shouldn't it have ~ppc, too?!

~ppc and ~x86-fbsd are not in there, as I couldn't test on those arches, and they were not previously keyworded.  Since 6.0.1 is still vulnerable, I'm first waiting for you guys, before I will ask the respective arch-teams to look at it.

> CVE-2008-3243 only *seems* to affect Versions <6.0.9.0 on Windows, NIST lists
> the Windows changelog as CONFIRM for it.

That means all versions for non-Windows are affected and useless.  (If we ignore the version that fpscan spits out, and go by the version as announced on the download webpage.)
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-02 22:38:31 UTC
Well, but we still should stabalize 6.0.2, because it fixes CVE-2008-5747.
The other bugs will be handled when updates are available. Sorry for this, re-adding arches.

Arches, please test and mark stable:
=app-antivirus/f-prot-6.0.2
Target keywords : "amd64 x86"
Comment 7 Markus Meier gentoo-dev 2009-04-04 14:43:32 UTC
amd64/x86 stable, all arches done.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-04 15:09:49 UTC
Ready for vote, I vote YES.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-08 22:41:00 UTC
Yes, too. Request filed.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-14 20:53:09 UTC
GLSA 200904-14