Summary: | app-antivirus/f-prot infinite loop via a malformed ZIP (CVE-2008-3447) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | antivirus, grobian |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.milw0rm.com/exploits/6174 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2008-08-05 01:16:49 UTC
Antivirus: *PING* Is this realy unix? AFAICT 6.0.2 is the newest (recent) for linux. http://secunia.com/advisories/31313: The vulnerability is confirmed in version 6.2.1.4252 and engine version 4.4.4.56 on a Linux system, and version 6.0.9.1 and engine version 4.4.4 on a Windows system. Other versions may also be affected. Our in-tree version doesn't even work properly anymore: # f-prot 2008-snot.zip.bla The SIGN.DEF file is too old to be of use. It will probably only detect a fraction of the viruses that exist today. Please obtain and install an up-to-date version. # /opt/f-prot/tools/check-updates.pl Server error on remote machine. Fatal error. Exiting... http://www.f-prot.com/download/trial/ says 6.0.2 is the newest linux version, but I confirmed it to be vulnerable. I've mailed them. They asked me to submit the exploit, which I did, no further news here. Their reply: ################################################################################ Hello again Craig. Our viruslab has received the submitted file but unfortunately it was corrupted so they could not use it. Please try again to submit the file that is being detected as CVE-2008-3447. You can send it in a password protected zip file as a reply to this e-mail or submit it directly to our viruslab here: http://www.f-prot.com/virusinfo/submission_form.html Please do not hesitate to contact us again if you require further information or assistance. ################################################################################ Did I crash their online-scanner? Uhm...well, they requested it. I replied back and provided them with the link to Milw0rm. When run, 6.0.1 says: F-PROT Antivirus version 6.2.1 FRISK Software International (C) Copyright 1989-2007 Engine version: 4.4.2.54 Virus signatures: 2009040117552b8928ed8ded62e59086feda01954876 (/opt/f-prot/antivir.def) 6.0.2: F-PROT Antivirus version 6.2.1.4252 (built: 2008-04-28T16-44-10) FRISK Software International (C) Copyright 1989-2007 Engine version: 4.4.4.56 Virus signatures: 200804271455d25e6f60ac5f581e45c3c415e28c2452 (/opt/f-prot/antivir.def) http://milw0rm.com/sploits/2008-snot.zip.bla (bug #233928) stalls both! I'll try contacting upstream again. is that with updated virus definition stuff? never mind, I just tried that, indeed hangs, sorry for the noise. No problem, their versioning confused me, too. Concerning the confusion about the version numbering first: Product (scanner, updater, milter ...): 6.0.1 or 6.0.2 CLS: 6.2.1 (the newer version contains a build number: 6.2.1 4252, this new format will be followed through in future) Engine: 4.4.4.56 == version 4.4.4 build 56 *and* someone apparently forgot to bump the latter one in the April/May release of the Unix products. In general the same version of the command line scanner (CLS) can be built with different engine versions. However, in future the build number will also change visibly in such cases. About comment #3, you obviously still have the old version 3 installed. See http://www.f-prot.com/products/home_use/linux/ (the new name would be fpscan, not f-prot ;)). And yes, this one was discontinued, so to speak. So new new DEFs either. Further note: the scan engine developers will be in the loop for such security issues from now on (sent to security <at> f <dash> prot <dot> com). Previously this was trickling "down" (or up, however you see it) from support. The bug will be fixed in engine version 4.5.0, for which the updated products are *likely* (note the uncertainty!) going to be released before June 2009. The fix was supposed to have gone into the version 6.0.2 of the Unix products, but I verified in our VCS that it hasn't, but that the current release candidate doesn't choke on the file: $ ./fpscan --report --verbose=3 ./test/ F-PROT Antivirus version 6.3.1.4739 (built: 2009-04-03T17-34-02) FRISK Software International (C) Copyright 1989-2009 Engine version: 4.5.0.73 Virus signatures: 200904031534820fa2eb753bdc4bbc70077a81433596 (/home/builder/olli/test_engine_build/Engine_4/fpcmd-ng/antivir.def) ... [Clean] ./test/2008-snot.zip.bla->cheese/abcdabc/lr.vfd (Filetype: 57) [Error] <Scanning error> ./test/2008-snot.zip.bla (Filetype: 18) [Error] <I/O error> ./test/2008-snot.zip.bla ------------------------------------------------- Thanks for "nudging" us again, // Oliver PS: For cross-reference, we have this bug filed as number 267 in our tracker. The answer to my mail in #6: Hello, this bug will be fixed in our upcoming engine update (v4.5) -- Regards, Bjartmar Kristjansson. Virus analyst. FSI Virus Research Lab bjartmar@f-prot.com In #3 I was referring to our (by that time very outdated) in-tree version. 6.0.3 seems to be available? Indeed: http://www.f-prot.com/download/home_user/download_fplinux.html It does not hang here. So, Antivirus, please provide an updated ebuild. Well, that looks like a sort of "no". This seems to be all we got now: http://www.f-prot.com/download/trial_forms/linux-ws-tgz.html which is an unversioned link to a download, just x86. I think we better punt this package, as it seems with each release less platforms are supported, and frisk's motivation to support non-Windows is dying. Yes, it's ok with me to kill it. # Fabian Groffen <grobian@gentoo.org> (06 Mar 2010) # Masked for security issues and discontinued interest from upstream to # support non-Windows platforms. Bug #233928 # Pending removal on April 6, 2010 app-antivirus/f-prot (In reply to comment #14) > This seems to be all we got now: > http://www.f-prot.com/download/trial_forms/linux-ws-tgz.html > > which is an unversioned link to a download, just x86. > > I think we better punt this package, as it seems with each release less > platforms are supported, and frisk's motivation to support non-Windows is > dying. > This rather sad ... I've been using F-Prot since it came out on DOS, and it always was one of the best AV programs out there. Even respected by the virus writers themselves :-) What's the recommended alternative? Thanks, Ian I totally agree, but I feel we've been left no choice :( it's sad.., but now it's gone. 8( Package has been removed from the tree. I guess that closes this bug. There is no need to keep this open???? f-prot is gone Mask/Removal GLSA vote: no No, too, closing noglsa. |