Bug 628194

Summary:	<app-antivirus/clamav-0.101.0: multiple vulnerabilities through embedded/forked UnRAR version (CVE-2017-{12940,12941,12942})
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ajak, antivirus, net-mail+disabled
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [noglsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	628178

Description GLSAMaker/CVETool Bot gentoo-dev

2017-08-18 15:07:55 UTC

CVE-2017-12940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12940):
  libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
  EncodeFileName::Decode call within the Archive::ReadHeader15 function.

CVE-2017-12941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12941):
  libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
  Unpack::Unpack20 function.

CVE-2017-12942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12942):
  libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ
  function.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-08-18 15:09:46 UTC

Please see the tracker bug 628178 for more details.

It isn't clear at the moment if ClamAV's own libunrar is affected or not.

Comment 2 Thomas Raschbacher gentoo-dev

2018-07-12 05:42:19 UTC

good question ..

on the blog they mention this:

Buffer over-read in unRAR code due to missing max value checks in table initialization. Reported by Rui Reis.

(Section Fixes for a few additional bugs)

and i found this: -- no clue if that is it:
https://github.com/Cisco-Talos/clamav-devel/commit/d2aa492c7f9c3560f6421be0bd81d72c55fd1081
https://github.com/Cisco-Talos/clamav-devel/commit/65ed9df7f1a635ca7dd1799d656d805eab86158d

Comment 3 Sam James archtester

2020-03-15 03:39:35 UTC

(In reply to Thomas Raschbacher from comment #2)
> good question ..
> 
> on the blog they mention this:
> 
> Buffer over-read in unRAR code due to missing max value checks in table
> initialization. Reported by Rui Reis.
> 
> (Section Fixes for a few additional bugs)
> 
> and i found this: -- no clue if that is it:
> https://github.com/Cisco-Talos/clamav-devel/commit/
> d2aa492c7f9c3560f6421be0bd81d72c55fd1081
> https://github.com/Cisco-Talos/clamav-devel/commit/
> 65ed9df7f1a635ca7dd1799d656d805eab86158d

Note that 0.101.0 [0] has replaced the old unrar lib:
>Support for RAR v5 archive extraction! 
>We replaced the legacy C-based unrar implementation with RarLabs UnRAR 5.6.5 library.
>Licensing is the same as before, although our libclamunrar_iface supporting library has changed from LGPL to the BSD 3-Clause license.

[0] https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html

Comment 4 John Helmert III archtester

2020-06-12 05:56:49 UTC

(In reply to Sam James (sec padawan) from comment #3)
> Note that 0.101.0 [0] has replaced the old unrar lib:
> >Support for RAR v5 archive extraction! 
> >We replaced the legacy C-based unrar implementation with RarLabs UnRAR 5.6.5 library.
> >Licensing is the same as before, although our libclamunrar_iface supporting library has changed from LGPL to the BSD 3-Clause license.
> 
> [0] https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html

UnRAR 5.6.5 was never a vulnerable version and we only have ClamAV newer than 0.101.0 in the tree, so we should be good here as far as ClamAV is concerned, right?

Comment 5 Sam James archtester

2020-06-13 18:37:40 UTC

(In reply to John Helmert III (ajak) from comment #4)
> UnRAR 5.6.5 was never a vulnerable version and we only have ClamAV newer
> than 0.101.0 in the tree, so we should be good here as far as ClamAV is
> concerned, right?

ClamAV stopped shipping the vulnerable one in late 2018 with the fixed 0.101.0.

Cleanup done early 2019: https://gitweb.gentoo.org/repo/gentoo.git/commit/app-antivirus/clamav?id=c12ddccad01d344a1b5b5ed9d5b2a0f3be9a8717.

So yep!