Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 253497 (CVE-2008-5747)

Summary: <app-antivirus/f-prot-6.0.1 scanning engine circumvention (CVE-2008-5747)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: antivirus, grobian
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/archive/1/499305/100/0/threaded
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-01-02 23:11:09 UTC 
CVE-2008-5747 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5747):
  F-Prot 4.6.8 for GNU/Linux allows remote attackers to bypass
  anti-virus protection via a crafted ELF program with a "corrupted"
  header that still allows the program to be executed.  NOTE: due to an
  error in the initial disclosure, F-secure was incorrectly stated as
  the vendor.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-02 23:20:08 UTC 
from $URL:
"frisk f-prot com
Version 4.6.8 is an old, obsolete version of F-PROT that is no longer supported by the developers.

We no longer release regular virus definition updates for this version, and as far as we know, we have no paying customers of F-PROT 4.6.8 for Linux.

The security issue is not present in the current version."

Antivirus, please update to 6.0.2 (see http://www.f-prot.com/download/home_user/) and remove 4.6.7. This would also fix #233928 and #232665! :)
Comment 2 Fabian Groffen gentoo-dev 2009-04-02 15:42:00 UTC 
once the 6.* version goes stable, we can finally remove the 4.x version.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-02 16:36:45 UTC 
Arches, please test and mark stable:
=app-antivirus/f-prot-6.0.2
Target keywords : "amd64 x86"
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-02 17:17:32 UTC 
This does not fix #233928!

Fabian, the latest versions are:

Linux Workstation 32 bit	6.0.2
Linux Workstation 64 bit	6.0.2
FreeBSD Workstation	6.0.1

But f-prot-6.0.1.ebuild has:
KEYWORDS="~amd64 -sparc ~x86"

Shouldn't it have ~ppc, too?!

CVE-2008-3243 only *seems* to affect Versions <6.0.9.0 on Windows, NIST lists the Windows changelog as CONFIRM for it.
Comment 5 Fabian Groffen gentoo-dev 2009-04-02 17:22:12 UTC 
(In reply to comment #4)
> This does not fix #233928!
> 
> Fabian, the latest versions are:
> 
> Linux Workstation 32 bit        6.0.2
> Linux Workstation 64 bit        6.0.2
> FreeBSD Workstation     6.0.1
> 
> But f-prot-6.0.1.ebuild has:
> KEYWORDS="~amd64 -sparc ~x86"
> 
> Shouldn't it have ~ppc, too?!

~ppc and ~x86-fbsd are not in there, as I couldn't test on those arches, and they were not previously keyworded.  Since 6.0.1 is still vulnerable, I'm first waiting for you guys, before I will ask the respective arch-teams to look at it.

> CVE-2008-3243 only *seems* to affect Versions <6.0.9.0 on Windows, NIST lists
> the Windows changelog as CONFIRM for it.

That means all versions for non-Windows are affected and useless.  (If we ignore the version that fpscan spits out, and go by the version as announced on the download webpage.)
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-02 22:38:31 UTC 
Well, but we still should stabalize 6.0.2, because it fixes CVE-2008-5747.
The other bugs will be handled when updates are available. Sorry for this, re-adding arches.

Arches, please test and mark stable:
=app-antivirus/f-prot-6.0.2
Target keywords : "amd64 x86"
Comment 7 Markus Meier gentoo-dev 2009-04-04 14:43:32 UTC 
amd64/x86 stable, all arches done.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-04 15:09:49 UTC 
Ready for vote, I vote YES.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-08 22:41:00 UTC 
Yes, too. Request filed.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-14 20:53:09 UTC 
GLSA 200904-14