Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 109213

Summary: app-antivirus/clamav: Multiple security fixes in 0.87.1
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: antivirus, net-mail+disabled, sascha-gentoo-bugzilla
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333566
Whiteboard: A1 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
clamav-CVE-2005-3239.patch none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-13 14:19:14 UTC
Segfault with corrupted DOC files with ArchiveMaxFiles 10000. See Debian bug 
for full details.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-13 22:41:04 UTC
antivirus/net-mail please advise. 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-10-14 01:15:45 UTC
Nothing yet upstream afaict
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-10-15 01:35:32 UTC
This is CAN-2005-3239
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-19 10:54:07 UTC
Still nothing upstream. 
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-10-26 02:47:30 UTC
Created attachment 71477 [details, diff]
clamav-CVE-2005-3239.patch

Patch extracted from clamav CVS, untested.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-10-26 02:48:05 UTC
antivirus / net-mail: please check/apply patch and bump.
Comment 7 Andrej Kacian (RETIRED) gentoo-dev 2005-10-28 04:12:32 UTC
I'm sorry, I'll be out of touch until Monday, so I can't do this one on time.
BTW, is there a sample corrupted .doc file to test on? I couldn't find any.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-10-28 04:20:00 UTC
There is one on the Debian bug :
http://bugs.debian.org/cgi-bin/bugreport.cgi/KOCH.DOC?bug=333566;msg=19;att=1
Comment 9 Andrej Kacian (RETIRED) gentoo-dev 2005-11-03 15:25:50 UTC
There is 0.87.1 out which fixes this. Ebuild is now in portage, x86 already
tested and stable.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-03 23:41:15 UTC
Arches please test and mark stable. 
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-11-04 00:52:38 UTC
Potential additional security fixorz :
- libclamav/petite.c: fix boundary checks (acab)
- libclamav/mbox.c: scan attachments that have no filename (njh)
- libclamav/fsg.c: fix buffer size calculation in unfsg_133
  Reported by Zero Day Initiative (ZDI-CAN-004)
- libclamav/tnef.c: fix possible infinite loop
  Reported by iDEFENSE (IDEF1169).
- libclamav/mspack/cabd.c: fix possible infinite loop in cabd_find (tk)
  Reported by iDEFENSE (IDEF1180).
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2005-11-04 05:37:22 UTC
sparc stable.
Comment 13 Brent Baude (RETIRED) gentoo-dev 2005-11-04 06:46:06 UTC
marked ppc64 stable
Comment 14 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-11-05 03:10:30 UTC
0.87.1 stable on alpha
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-11-05 04:42:46 UTC
The fsg thing allows remote code execution :

))))))))))))))))
ZDI-05-002: Clam Antivirus Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-05-002.html
CAN-2005-3303

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable ClamAV installations. Authentication is not required to
exploit this vulnerability.

This specific flaw exists within libclamav/fsg.c during the unpacking of
executable files compressed with FSG v1.33. Due to invalid bounds
checking when copying user-supplied data to heap allocated memory, an
exploitable memory corruption condition is created. The unpacking
algorithm for other versions of FSG is not affected. 
)))))))))))))))))
Comment 16 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-11-06 02:58:52 UTC
Stable on ppc and hppa.
Comment 17 Simon Stelling (RETIRED) gentoo-dev 2005-11-06 03:07:04 UTC
amd64 happy too
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-06 08:18:20 UTC
GLSA 200511-04  
 
ia64 don't forget to mark stable.