Summary: | app-antivirus/clamav DoS (CVE-2006-6481) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | antivirus, hanno, sim0n |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3? [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2006-12-10 01:07:02 UTC
I have a fix (from upstream CVS), that makes clamav detect the virus. However, if enough nestings are used (I tried with $loop = 4000 in proof of concept script[1]), clamav still crashes. Thus, upstream's fix is not enough. See [2] for more info about the issue. 1. http://www.quantenblog.net/download/perl/virus 2. http://www.quantenblog.net/security/virus-scanner-bypass *** Bug 157438 has been marked as a duplicate of this bug. *** Since this is also a DoS it's more than a anti-virus bypass. Newly released 0.88.7 is now in the tree. I can confirm that it fixes both scanner bypassing, and DoS when enough base64 nestings are used (if you consider 40000 nestings enough, that is :) ). Thx Andrej. Arches please test and mark stable. Target keywords are: clamav-0.88.6.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86" ppc stable Works fine for me (except USE=milter -- I don't have or use sendmail). Scanning /tmp with clamscan seems to work. Gentoo Base System version 1.12.5 Portage 2.1.1-r1 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r3, 2.6.15-gentoo-r72006040301 x86_64) ================================================================= System uname: 2.6.15-gentoo-r72006040301 x86_64 AMD Athlon(tm) 64 Processor 3700+ Last Sync: Mon, 11 Dec 2006 16:20:02 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect confcache digest distlocks metadata-transfer multilib-strict sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.us.gentoo.org/gentoo-portage" USE="amd64 berkdb bitmap-fonts cli cracklib crypt cups dlloader dri elibc_glibc fortran gdbm gpm iconv input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 isdnlog kernel_linux libg++ ncurses nls nptl nptlonly pam pcre perl ppds pppd python readline reflection session spl ssl tcpd truetype-fonts type1-fonts udev unicode userland_GNU video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i810 video_cards_mga video_cards_neomagic video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo xorg zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS AT / # freshclam ClamAV update process started at Mon Dec 11 17:28:48 2006 main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, builder: tkojm) Downloading daily.cvd [*] daily.cvd updated (version: 2315, sigs: 6758, f-level: 9, builder: ccordes) Database updated (80567 signatures) from database.clamav.net (IP: 63.166.28.8) so freshclam works too amd64 done. *** Bug 156772 has been marked as a duplicate of this bug. *** Not glsa-relevant, but 0.90_rc2 should be patched, too. Stable on Alpha + ia64. it's about the evasion technique. I vote GLSA, but i already know other members of the team will vote no :) No, this is a DoS issue not evasion. I vote YES. Though we still need the hppa keyword. Yes++ Of course it is clamav-0.88.7 that is target for stable marking. stable on hppa. Sorry for the delay Thx everyone. GLSA 200612-18 |