Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 245450 (CVE-2008-5050)

Summary: app-antivirus/clamav < 0.94.1 buffer overflow vulnerability (CVE-2008-5050)
Product: Gentoo Linux Reporter: Nathan Phillip Brink (binki) (RETIRED) <binki>
Component: New packagesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: antivirus, ap, glua, kevin, net-mail+disabled, phajdan.jr
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0192.html
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 243332    
Bug Blocks:    
Attachments: replaces clamav-0.94-buildfix.patch because of changes in configure.in
fixes libtool issue, adds deps for FEATURES=test, adds ipv6 useflag

Description Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2008-11-03 22:30:50 UTC
ClamAV-0.94.1 was released today, I think.

Reproducible: Always

Steps to Reproduce:
Comment 1 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2008-11-03 22:47:07 UTC
Created attachment 170653 [details, diff]
replaces clamav-0.94-buildfix.patch because of changes in configure.in

version 0.94.1 of clamAV changed the configure.in script enough to prevent the previous patch from working.
Comment 2 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2008-11-03 23:04:32 UTC
Created attachment 170655 [details, diff]
fixes libtool issue, adds deps for FEATURES=test, adds ipv6 useflag

The new clamAV release includes some files from the newer version of libtool in m4/. This ebuild deletes m4/{libtool,lt*}.m4 because stable Gentoo users will come up with weird errors such as I described in https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1251 .
Also this patch adds inheritance of the versionator eclass. This is used to support renaming the ebuild to clamav-0.94.1_rc1.ebuild, which I did, because clamav named the package clamav-0.94.1rc1.ebuild (they left out the underscore).
This patch also adds the ipv6 useflag, since there is optional ipv6 support {en/dis}able-able through the configure script.
And, this ebuild patch adds dependancies for the tools clamAV uses to test itself for when FEATURES=test. However, I think clamAV-0.94.1 and clamAV-0.94.1_rc1 will fail its valgrind tests unless if bug #245226 is fixed or a patch is made to unit_tests/valgrind.supp to support running valgrind's helgrind under libsandbox.so.
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-09 16:13:01 UTC
*** Bug 246176 has been marked as a duplicate of this bug. ***
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-09 16:13:59 UTC
(In reply to comment #1)
> Created an attachment (id=170653) [edit]
> replaces clamav-0.94-buildfix.patch because of changes in configure.in
> 
> version 0.94.1 of clamAV changed the configure.in script enough to prevent the
> previous patch from working.
> 

Thanks for your ebuild Nathan, I'll take a look at it (and probably commit it) later on this evening.
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-09 21:50:23 UTC
(In reply to comment #4)
> Thanks for your ebuild Nathan, I'll take a look at it (and probably commit it)
> later on this evening.
> 

I encounter failing DUMA tests - i'll need to take at look at it tomorrow.
Comment 6 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2008-11-10 02:34:12 UTC
(In reply to comment #5)
> 
> I encounter failing DUMA tests - i'll need to take at look at it tomorrow.
> 
Are you using amd64? If so, you may have experienced the same bug #243332 - the stable duma always crashes for me, while the unstable one doesn't (though I'm not extensively testing it)

(In reply to comment #4)

> 
> Thanks for your ebuild Nathan, I'll take a look at it (and probably commit it)
> later on this evening.
> 

You're welcome.

I'd just like to comment on the progress of bug #245226 which became a dup of
bug #235581. To compile and test ClamAV successfully with FEATURES="sandbox
test", the svn trunk version of sandbox is needed. From what I understand, for
the current version of sandbox (version 1.2*), the "sandbox" or "usersandbox"
and "test" FEATURES flags would be mutually exclusive for ClamAV. My ClamAV
ebuild installs fine with FEATURES="usersandbox sandbox -test" and
FEATURES="-sandbox -usersandbox test".

Valgrind's helgrind reports errors about sandbox-1.2* when make check runs a
ClamAV executable. This is because ClamAV is multithreaded and is rooted in bug
#235581.
However, ClamAV hasn't segfaulted on my machine because of the bad
sandbox-1.2*. This leaves, in my opinion, three options for supporting users
with FEATURES=test:
1. Warn the user to choose betewen FEATURES="sandbox usersandbox -test" and
FEATURES="test -sandbox -usersandbox"
2. Patch the ClamAV test suite to add the valgrind suppressions I listed in bug
#245226 if the user has sandbox-1.2* installed. This allows the testsuite to
actually test the ClamAV code, ignoring errors in the user's sandbox
installation (which is guaranteed to be wrong).
3. Change the  to require a version of sandbox that isn't yet in the Portage
tree, but only if the test useflag is enabled. My patch has a pair of lines
which would be changed to something like:
-       test? ( dev-libs/check )
+       test? ( dev-libs/check dev-util/duma dev-util/valgrind
>=sys-apps/sandbox-1.2.20 )
This would allow people to install the package with FEATURES="-test" and would
automatically work for FEATURES="test" when the next version of sandbox comes
out. 

I'm not sure which choice is best, but I'm guessing that you'll want a quick
fix because of the "buffer overflow vulnerability" in older ClamAVs. Maybe an
ewarn about building with FEATURES="test" would be enough.


Concerning dependencies in general: I think the conditional dependencies for the "test"
useflag should be moved from COMMON_DEPEND into DEPEND. I'm pretty sure that no
code linked to dev-libs/check is installed. Running ldd on all the clamav
binaries showed no links to /usr/lib*/libcheck.so*. Thus, RDEPEND shouldn't
have the dependencies used for testing ClamAV in it.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-10 21:04:34 UTC
(In reply to comment #6)
> > I encounter failing DUMA tests - i'll need to take at look at it tomorrow.
> > 
> Are you using amd64? If so, you may have experienced the same bug #243332 - the
> stable duma always crashes for me, while the unstable one doesn't (though I'm
> not extensively testing it)

hrm, yeah ... duma-2.5.13 works for me on amd64, adjusted the dep.
 
> Concerning dependencies in general: I think the conditional dependencies for
> the "test"
> useflag should be moved from COMMON_DEPEND into DEPEND. I'm pretty sure that no
> code linked to dev-libs/check is installed. Running ldd on all the clamav
> binaries showed no links to /usr/lib*/libcheck.so*. Thus, RDEPEND shouldn't
> have the dependencies used for testing ClamAV in it.

Also moved the test deps into COMMON_DEPEND.

So, 0.94.1 is inCVS. I had to drop the following keywords due to either valgrind or duma not being keyworded (or both of them):

  KEYWORDS.dropped              1
   app-antivirus/clamav/clamav-0.94.1.ebuild: alpha hppa ia64 ppc64 sparc x86-fbsd

Also we'd need duma-2.5.13 stable for the tests to pass (at least on amd64). Plus tests won't pass when run with sandbox enabled (it's supposed to be fixed in sandbox svn, which won't help us for now), so expect tests to pass with a) >=duma-2.5.13 and b) FEATURES="-sandbox".
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-10 21:17:37 UTC
Okies, we had a quick vote on #gentoo-security, 3 out of 3 voted to restrict tests for now. I committed that change and re-added the dropped keywords. There we go :)
Comment 9 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-10 21:19:40 UTC
Arches, please test and mark stable:
  =app-antivirus/clamav-0.94.1

Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2008-11-12 18:22:24 UTC
ppc64 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-13 22:31:14 UTC
Stable for HPPA.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-11-14 10:30:28 UTC
alpha/ia64/sparc/x86 stable
Comment 13 Markus Meier gentoo-dev 2008-11-15 10:58:09 UTC
amd64 stable
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-15 17:53:23 UTC
ppc stable
Comment 15 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2008-12-12 13:37:32 UTC
(In reply to comment #9)
> Arches, please test and mark stable:
>   =app-antivirus/clamav-0.94.1
> 
> Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86
> 

app-antivirus/clamav-0.94.1 is stable for all of the above keywords. It seems this bug is fixed.
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-12 13:41:39 UTC
re-open, the GLSA needs to be send out before this one can be closed.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-23 22:17:55 UTC
GLSA 200812-21