Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 157698 - app-antivirus/clamav DoS (CVE-2006-6481)
Summary: app-antivirus/clamav DoS (CVE-2006-6481)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3? [glsa] jaervosz
Keywords:
: 156772 157438 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-12-10 01:07 UTC by Sune Kloppenborg Jeppesen
Modified: 2006-12-18 12:13 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2006-12-10 01:07:02 UTC
Debian reports (DSA 1232-1):

Stephen Gran discovered that malformed base64-encoded MIME attachments
can lead to denial of service through a null pointer dereference.

CVE and Debian advisory/Changelog not yet updated so I'm not sure what this issue really is.
Comment 1 Andrej Kacian (RETIRED) gentoo-dev 2006-12-10 02:57:31 UTC
I have a fix (from upstream CVS), that makes clamav detect the virus.

However, if enough nestings are used (I tried with $loop = 4000 in proof of concept script[1]), clamav still crashes. Thus, upstream's fix is not enough.

See [2] for more info about the issue.

1. http://www.quantenblog.net/download/perl/virus
2. http://www.quantenblog.net/security/virus-scanner-bypass
Comment 2 Andrej Kacian (RETIRED) gentoo-dev 2006-12-10 02:59:12 UTC
*** Bug 157438 has been marked as a duplicate of this bug. ***
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-10 03:08:05 UTC
Since this is also a DoS it's more than a anti-virus bypass.
Comment 4 Andrej Kacian (RETIRED) gentoo-dev 2006-12-11 07:12:26 UTC
Newly released 0.88.7 is now in the tree. I can confirm that it fixes both scanner bypassing, and DoS when enough base64 nestings are used (if you consider 40000 nestings enough, that is :) ).
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-11 08:12:54 UTC
Thx Andrej. Arches please test and mark stable. Target keywords are:

clamav-0.88.6.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-11 08:46:54 UTC
ppc stable
Comment 7 Dustin J. Mitchell 2006-12-11 09:22:52 UTC
Works fine for me (except USE=milter -- I don't have or use sendmail).
Scanning /tmp with clamscan seems to work.

Gentoo Base System version 1.12.5
Portage 2.1.1-r1 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r3, 2.6.15-gentoo-r72006040301 x86_64)
=================================================================
System uname: 2.6.15-gentoo-r72006040301 x86_64 AMD Athlon(tm) 64 Processor 3700+
Last Sync: Mon, 11 Dec 2006 16:20:02 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect confcache digest distlocks metadata-transfer multilib-strict sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"
USE="amd64 berkdb bitmap-fonts cli cracklib crypt cups dlloader dri elibc_glibc fortran gdbm gpm iconv input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 isdnlog kernel_linux libg++ ncurses nls nptl nptlonly pam pcre perl ppds pppd python readline reflection session spl ssl tcpd truetype-fonts type1-fonts udev unicode userland_GNU video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i810 video_cards_mga video_cards_neomagic video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo xorg zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 8 Dustin J. Mitchell 2006-12-11 09:27:14 UTC
AT / # freshclam 
ClamAV update process started at Mon Dec 11 17:28:48 2006
main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, builder: tkojm)
Downloading daily.cvd [*]
daily.cvd updated (version: 2315, sigs: 6758, f-level: 9, builder: ccordes)
Database updated (80567 signatures) from database.clamav.net (IP: 63.166.28.8)

so freshclam works too
Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-12-11 09:41:22 UTC
amd64 done.
Comment 10 Steve Dibb (RETIRED) gentoo-dev 2006-12-11 11:27:48 UTC
*** Bug 156772 has been marked as a duplicate of this bug. ***
Comment 11 Hanno Boeck gentoo-dev 2006-12-11 12:30:43 UTC
Not glsa-relevant, but 0.90_rc2 should be patched, too.
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2006-12-11 16:35:12 UTC
Stable on Alpha + ia64.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-15 07:49:19 UTC
it's about the evasion technique.

I vote GLSA, but i already know other members of the team will vote no :)

Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-15 08:12:58 UTC
No, this is a DoS issue not evasion. I vote YES.

Though we still need the hppa keyword.
Comment 15 Wolf Giesen (RETIRED) gentoo-dev 2006-12-15 10:20:40 UTC
Yes++
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-16 11:57:17 UTC
Of course it is clamav-0.88.7 that is target for stable marking.
Comment 17 René Nussbaumer (RETIRED) gentoo-dev 2006-12-17 13:45:29 UTC
stable on hppa. Sorry for the delay
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-18 12:13:46 UTC
Thx everyone.

GLSA 200612-18