Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 143093

Summary: app-antivirus/clamav: <=0.88.3 boundary error
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: antivirus, net-mail+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/21374
Whiteboard: B1 [glsa] Falco
Package list:
Runtime testing required: ---

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-07 07:54:07 UTC 
Hi teams,

clamav is vulnerable :(

SA 21374:

"Description:
Damian Put has discovered a vulnerability in Clam AntiVirus, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

The vulnerability is caused due to an boundary error in the "pefromupx()" function in libclamav/upx.c when unpacking PE executable files compressed with UPX. This can be exploited to cause a heap-based buffer overflow via a specially crafted UPX compressed file.

Successful exploitation crashes the service and may allow execution of arbitrary code.

The vulnerability has been confirmed in versions 0.88.2 and 0.88.3. Other versions may also be affected.

Solution:
Disable the "ScanPE" option for clamd and start clamscan with the "--no-pe" option. Please note that this completely disables the scanning of PE files. Then block or filter PE files in some other way.

Provided and/or discovered by:
Damian Put

Original Advisory:
http://www.overflow.pl/adv/clamav_upx_heap.txt "
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-07 07:55:32 UTC 
note that ScanPE is enabled by default

let's wait for a patch or update...
Comment 2 Andrej Kacian (RETIRED) gentoo-dev 2006-08-07 12:50:11 UTC 
0.88.4 is out, I'll commit the ebuild in few minutes
Comment 3 Andrej Kacian (RETIRED) gentoo-dev 2006-08-07 16:52:49 UTC 
Ebuild for 0.88.4 is in the tree now - by the power bestowed unto me by jaervosz, I'm CCing arch teams, please do your magic.

x86 has been stabilized by me already, after testing on two stable boxes.
Comment 4 Jason Wever (RETIRED) gentoo-dev 2006-08-07 17:46:32 UTC 
SPARC virus detected, all your arch are belong to us!
Comment 5 Fernando J. Pereda (RETIRED) gentoo-dev 2006-08-07 17:53:03 UTC 
Looks fine on Alpha.
Comment 6 Scott Stoddard (RETIRED) gentoo-dev 2006-08-07 18:05:33 UTC 
amd64 done.
Comment 7 Luca Barbato gentoo-dev 2006-08-07 18:11:41 UTC 
ppc follows
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2006-08-07 23:31:59 UTC 
ppc64 stable
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-08 00:27:46 UTC 
debian isn't updated yet, we may have a chance !  :)
Comment 10 René Nussbaumer (RETIRED) gentoo-dev 2006-08-08 02:12:46 UTC 
stable on hppa
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-08 02:35:30 UTC 
Ready for GLSA ! :)
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2006-08-08 07:13:46 UTC 
GLSA 200608-13

thanks for the quick work on this one