Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 233928 (CVE-2008-3447)

Summary: app-antivirus/f-prot infinite loop via a malformed ZIP (CVE-2008-3447)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: antivirus, grobian
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.milw0rm.com/exploits/6174
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-05 01:16:49 UTC
CVE-2008-3447 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3447):
  The scanning engine in F-Prot Antivirus 6.2.1 4252 allows remote attackers to
  cause a denial of service (infinite loop) via a malformed ZIP archive,
  probably related to invalid offsets.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 17:44:04 UTC
Antivirus: *PING*
Comment 2 Nico Baggus 2009-01-10 12:40:56 UTC
Is this realy unix? AFAICT 6.0.2 is the newest (recent) for linux.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-10 13:22:55 UTC
http://secunia.com/advisories/31313:

The vulnerability is confirmed in version 6.2.1.4252 and engine version 4.4.4.56 on a Linux system, and version 6.0.9.1 and engine version 4.4.4 on a Windows system. Other versions may also be affected.

Our in-tree version doesn't even work properly anymore:

# f-prot 2008-snot.zip.bla 
The SIGN.DEF file is too old to be of use.  It will probably only
detect a fraction of the viruses that exist today.

Please obtain and install an up-to-date version.

# /opt/f-prot/tools/check-updates.pl
Server error on remote machine.
Fatal error. Exiting...


http://www.f-prot.com/download/trial/ says 6.0.2 is the newest linux version, but I confirmed it to be vulnerable. I've mailed them.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-15 18:09:56 UTC
They asked me to submit the exploit, which I did, no further news here.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-21 10:37:10 UTC
Their reply:
################################################################################
Hello again Craig.

Our viruslab has received the submitted file but unfortunately it was corrupted so they could not use it.
Please try again to submit the file that is being detected as CVE-2008-3447.

You can send it in a password protected zip file as a reply to this e-mail or submit it directly to our viruslab here:
http://www.f-prot.com/virusinfo/submission_form.html

Please do not hesitate to contact us again if you require further information or assistance.
################################################################################

Did I crash their online-scanner? Uhm...well, they requested it. I replied back and provided them with the link to Milw0rm.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-02 17:14:19 UTC
When run, 6.0.1 says:

F-PROT Antivirus version 6.2.1
FRISK Software International (C) Copyright 1989-2007

Engine version: 4.4.2.54
Virus signatures: 2009040117552b8928ed8ded62e59086feda01954876
                  (/opt/f-prot/antivir.def)


6.0.2:

F-PROT Antivirus version 6.2.1.4252 (built: 2008-04-28T16-44-10)
FRISK Software International (C) Copyright 1989-2007

Engine version: 4.4.4.56
Virus signatures: 200804271455d25e6f60ac5f581e45c3c415e28c2452
                  (/opt/f-prot/antivir.def)

http://milw0rm.com/sploits/2008-snot.zip.bla (bug #233928) stalls both!
I'll try contacting upstream again.
Comment 7 Fabian Groffen gentoo-dev 2009-04-02 17:17:01 UTC
is that with updated virus definition stuff?
Comment 8 Fabian Groffen gentoo-dev 2009-04-02 17:19:03 UTC
never mind, I just tried that, indeed hangs, sorry for the noise.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-02 17:20:18 UTC
No problem, their versioning confused me, too.
Comment 10 Oliver Schneider 2009-04-03 17:56:47 UTC
Concerning the confusion about the version numbering first:

Product (scanner, updater, milter ...): 6.0.1 or 6.0.2
CLS: 6.2.1 (the newer version contains a build number: 6.2.1 4252, this new format will be followed through in future)
Engine: 4.4.4.56 == version 4.4.4 build 56 *and* someone apparently forgot to bump the latter one in the April/May release of the Unix products.

In general the same version of the command line scanner (CLS) can be built with different engine versions. However, in future the build number will also change visibly in such cases.

About comment #3, you obviously still have the old version 3 installed. See http://www.f-prot.com/products/home_use/linux/ (the new name would be fpscan, not f-prot ;)). And yes, this one was discontinued, so to speak. So new new DEFs either.

Further note: the scan engine developers will be in the loop for such security issues from now on (sent to security <at> f <dash> prot <dot> com). Previously this was trickling "down" (or up, however you see it) from support.

The bug will be fixed in engine version 4.5.0, for which the updated products are *likely* (note the uncertainty!) going to be released before June 2009. The fix was supposed to have gone into the version 6.0.2 of the Unix products, but I verified in our VCS that it hasn't, but that the current release candidate doesn't choke on the file:

$ ./fpscan --report --verbose=3 ./test/
F-PROT Antivirus version 6.3.1.4739 (built: 2009-04-03T17-34-02)
FRISK Software International (C) Copyright 1989-2009

Engine version: 4.5.0.73
Virus signatures: 200904031534820fa2eb753bdc4bbc70077a81433596
                  (/home/builder/olli/test_engine_build/Engine_4/fpcmd-ng/antivir.def)

...

[Clean]    ./test/2008-snot.zip.bla->cheese/abcdabc/lr.vfd   (Filetype: 57)
[Error] <Scanning error>        ./test/2008-snot.zip.bla   (Filetype: 18)
[Error] <I/O error>     ./test/2008-snot.zip.bla
-------------------------------------------------

Thanks for "nudging" us again,

// Oliver

PS: For cross-reference, we have this bug filed as number 267 in our tracker.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-08 19:43:58 UTC
The answer to my mail in #6:

Hello,

this bug will be fixed in our upcoming engine update (v4.5)

-- 
Regards,
  Bjartmar Kristjansson. Virus analyst.

  FSI Virus Research Lab
  bjartmar@f-prot.com 


In #3 I was referring to our (by that time very outdated) in-tree version.
Comment 12 Nico Baggus 2010-01-28 15:56:53 UTC
6.0.3 seems to be available?
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-28 21:50:48 UTC
Indeed:

http://www.f-prot.com/download/home_user/download_fplinux.html

It does not hang here. So, Antivirus, please provide an updated ebuild.
Comment 14 Fabian Groffen gentoo-dev 2010-01-29 20:36:03 UTC
Well, that looks like a sort of "no".

This seems to be all we got now:
http://www.f-prot.com/download/trial_forms/linux-ws-tgz.html

which is an unversioned link to a download, just x86.

I think we better punt this package, as it seems with each release less
platforms are supported, and frisk's motivation to support non-Windows is
dying.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:45:04 UTC
Yes, it's ok with me to kill it.
Comment 16 Fabian Groffen gentoo-dev 2010-03-06 16:57:07 UTC
# Fabian Groffen <grobian@gentoo.org> (06 Mar 2010)
# Masked for security issues and discontinued interest from upstream to
# support non-Windows platforms.  Bug #233928
# Pending removal on April 6, 2010
app-antivirus/f-prot
Comment 17 Ian Douglas 2010-03-09 07:26:33 UTC
(In reply to comment #14)
> This seems to be all we got now:
> http://www.f-prot.com/download/trial_forms/linux-ws-tgz.html
> 
> which is an unversioned link to a download, just x86.
> 
> I think we better punt this package, as it seems with each release less
> platforms are supported, and frisk's motivation to support non-Windows is
> dying.
> 

This rather sad ... I've been using F-Prot since it came out on DOS, and it always was one of the best AV programs out there. Even respected by the virus writers themselves :-)

What's the recommended alternative?

Thanks, Ian
Comment 18 Fabian Groffen gentoo-dev 2010-03-09 09:07:09 UTC
I totally agree, but I feel we've been left no choice :(
Comment 19 Nico Baggus 2010-03-09 09:12:49 UTC
it's sad.., but now it's gone. 8(
Comment 20 Fabian Groffen gentoo-dev 2010-04-18 08:03:11 UTC
Package has been removed from the tree.  I guess that closes this bug.
Comment 21 Nico Baggus 2010-07-06 19:03:57 UTC
There is no need to keep this open????
Comment 22 Fabian Groffen gentoo-dev 2010-07-06 20:57:10 UTC
f-prot is gone
Comment 23 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-07-07 06:28:11 UTC
Mask/Removal GLSA vote: no
Comment 24 Stefan Behte (RETIRED) gentoo-dev Security 2010-07-07 21:24:34 UTC
No, too, closing noglsa.