Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 167201

Summary: <app-antivirus/clamav-0.90 - MIME Header and CAB File Vulnerabilities CVE-2007-0897 CVE-2007-0898
Product: Gentoo Security Reporter: Executioner <keith>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alonbl, antivirus, bernd, chainsaw, craig, net-mail+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/24187/
Whiteboard: B3 [glsa] Falco
Package list:
Runtime testing required: ---

Description Executioner 2007-02-16 13:47:59 UTC
Description:
Two vulnerabilities have been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) Input passed via the "id" parameter when parsing MIME headers is not properly sanitised before being used to create local files. This can be exploited to e.g. overwrite the anti-virus signature file via directory traversal attacks, preventing malware from being detected.

2) An file descriptor leak error in the processing of CAB files can be exploited to e.g. prevent legitimate users from sending out valid archives via a specially crafted CAB file with a cabinet header containing a record length of zero.

The vulnerabilities are reported in versions prior to 0.90.

Solution:
Update to version 0.90.

Already in the tree...  probably just need to CC arches, but I'm not sure if I should do that?  Or if it needs to be looked at by a developer first...

Reproducible: Didn't try




http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=475
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=476
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-16 17:02:49 UTC
funny
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-17 23:57:56 UTC
Cc maintainers, sorry
Comment 3 Andrej Kacian (RETIRED) gentoo-dev 2007-02-18 02:55:38 UTC
As OP stated, the ebuild is already in the tree.
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-18 12:27:32 UTC
thanks

hi arches, please can you test and mark stable clamav-0.90 is appropriate, thanks
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-18 12:46:21 UTC
0.90 depends on sys-fs/dazuko which isn't stable on any arch - is dazuko ready for stabling?
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-02-18 14:40:55 UTC
doesn't seem to work on ppc64:

# modprobe dazuko
WARNING: Error inserting commoncap (/lib/modules/2.6.19.3/kernel/security/commoncap.ko): Invalid module format
FATAL: Error inserting dazuko (/lib/modules/2.6.19.3/misc/dazuko.ko): Invalid argument

from syslog:

Feb 18 14:39:46 G5 dazuko: info: using chroot events for chroot'd processes
Feb 18 14:39:46 G5 dazuko: failed to register


anyone else having this problem? or is my configuration?
Comment 7 Alon Bar-Lev (RETIRED) gentoo-dev 2007-02-18 15:34:38 UTC
(In reply to comment #6)
> doesn't seem to work on ppc64:
> 
> # modprobe dazuko
> WARNING: Error inserting commoncap
> (/lib/modules/2.6.19.3/kernel/security/commoncap.ko): Invalid module format
> FATAL: Error inserting dazuko (/lib/modules/2.6.19.3/misc/dazuko.ko): Invalid
> argument

Hmmm...
Can you please try modprobe commoncap (CONFIG_SECURITY_CAPABILITIES)?
This is part of kernel and should work... :(

> Feb 18 14:39:46 G5 dazuko: info: using chroot events for chroot'd processes
> Feb 18 14:39:46 G5 dazuko: failed to register

Well this is expected... Let's first try to solve commoncap...
Comment 8 Alon Bar-Lev (RETIRED) gentoo-dev 2007-02-18 15:37:46 UTC
(In reply to comment #5)
> 0.90 depends on sys-fs/dazuko which isn't stable on any arch - is dazuko ready
> for stabling?

I regret to say this... But no.
Upstream rewrote the interface for the kernel, and it has no stable release for 2.6.20...
So let's drop the onaccess USE flag until I test the new interface.

Sorry... :(
Comment 9 Andrej Kacian (RETIRED) gentoo-dev 2007-02-18 18:28:52 UTC
Ok, 0.90 has onaccess support dropped completely.

(I thought about just masking the use flag globally, but that would only tempt users into trying something that doesn't work.)
Comment 10 Jason Wever (RETIRED) gentoo-dev 2007-02-18 18:29:59 UTC
SPARC stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-18 18:58:06 UTC
ppc stable
Comment 12 Markus Meier gentoo-dev 2007-02-18 20:17:45 UTC
app-antivirus/clamav-0.90  USE="bzip2 crypt curl gmp logrotate mailwrapper -milter -onaccess (-selinux)"
1. emerges on x86 (not resynced yet)
2. passes collision test
3. works

Portage 2.1.2-r9 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19.3 i686)
=================================================================
System uname: 2.6.19.3 i686 AMD Athlon(TM) XP1800+
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 17 Feb 2007 09:30:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="3dnow 3dnowext X a52 aac alsa apache2 berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt cups dbus divx4linux dlloader dri dts dvd dvdr dvdread eds emboss exif fam ffmpeg firefox fortran gdbm gif gnome gphoto2 gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde ldap libg++ mad midi mikmod mmx mmxext mono mp3 mpeg ncurses network nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl svg tcpd test tetex tiff truetype truetype-fonts type1-fonts unicode usb vcd vorbis win32codecs x86 xine xinerama xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LINGUAS="en de en_GB" USERLAND="GNU" VIDEO_CARDS="nv none"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 13 Andrej Kacian (RETIRED) gentoo-dev 2007-02-18 20:27:19 UTC
There is a discussion[1] on upstream ML about changed API. At least squidclamav, Mail::ClamAV perl module and havp antivirus engine are reported to NOT build with clamav-0.90.

I'll be fixing dependencies for these three and notifying their maintainers via e-mail.

1. http://article.gmane.org/gmane.comp.security.virus.clamav.devel/2719
Comment 14 Andrej Kacian (RETIRED) gentoo-dev 2007-02-18 20:28:20 UTC
(In reply to comment #13)
> I'll be fixing dependencies for these three and notifying their maintainers via
> e-mail.

This will of course mean that these packages will depend on vulnerable clamav. Security, is this acceptable for you? I guess not...
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2007-02-18 22:57:10 UTC
Stable for HPPA.
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2007-02-20 18:54:52 UTC
ppc64 stable
Comment 17 Fernando J. Pereda (RETIRED) gentoo-dev 2007-02-22 11:49:24 UTC
Alpha done.
Comment 18 Patrick McLean gentoo-dev 2007-02-22 13:22:26 UTC
Stable on amd64.
Comment 19 Andrej Kacian (RETIRED) gentoo-dev 2007-02-23 18:15:17 UTC
(In reply to comment #14)
> (In reply to comment #13)
> > I'll be fixing dependencies for these three and notifying their maintainers via
> > e-mail.
> 
> This will of course mean that these packages will depend on vulnerable clamav.
> Security, is this acceptable for you? I guess not...

An answer here, perhaps? Basically, we have two options:
- packages built against an insecure libclamav (0.88.7)
- packages not compiling because of incompatible API changes in 0.90
Comment 20 Stefan Cornelius (RETIRED) gentoo-dev 2007-02-23 20:03:44 UTC
having something insecure in the tree is not an option. any idea how hard it would be to backport patches?
Comment 21 Andrej Kacian (RETIRED) gentoo-dev 2007-02-24 15:10:22 UTC
(In reply to comment #20)
> having something insecure in the tree is not an option. any idea how hard it
> would be to backport patches?
> 

The MIME vulnerability (CVE-2007-0898) fix is a one-line patch. The CAB one (CVE-2007-0897) I'm not quite sure about. Debian guys seem to have "fixed" it by commenting out CAB entry from array of known executables, which I don't think is a good idea.

I'll look into it some more.
Comment 22 Andrej Kacian (RETIRED) gentoo-dev 2007-02-24 15:36:57 UTC
The CAB decompressor code has been reworked completely between 0.88.7 and 0.90, and the fix for this vulnerability has been made just three hours before tagging 0.90 release in upstream's svn repo.

No trivial backport can be made here...
Comment 23 Andrej Kacian (RETIRED) gentoo-dev 2007-02-25 11:33:21 UTC
I have added a patch to fix most glaring API change. There are at least two more. One is non-trivial to patch in.
The other one is a removal of a function which has been marked as deprecated long time ago, so it's up to people using it to update their code.

Sorry for the delay, I had to put my head around the clamav code. :)

Marked x86 stable, yay!
Comment 24 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-26 22:42:40 UTC
Thanks Andrej, it seems all right now!

I sure vote for a GLSA and i have already file the GLSA request
Comment 25 Stefan Cornelius (RETIRED) gentoo-dev 2007-02-26 22:53:51 UTC
yes++. lets have a glsa
Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-02 00:36:05 UTC
GLSA 200703-03, thanks everybody
Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-13 10:15:43 UTC
*** Bug 170711 has been marked as a duplicate of this bug. ***
Comment 28 Raúl Porcel (RETIRED) gentoo-dev 2007-03-28 18:18:10 UTC
ia64 stable :)