Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 178082 - app-antivirus/clamav < 0.90.3: multiple DoS issues (CVE-2007-2650, CVE-2007-302[345], CVE-2007-312[23])
Summary: app-antivirus/clamav < 0.90.3: multiple DoS issues (CVE-2007-2650, CVE-2007-3...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/25244/
Whiteboard: B3 [glsa] p-y
Keywords:
: 180469 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-05-11 18:00 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2007-06-15 17:24 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-11 18:00:11 UTC
Victor Stinner has reported a vulnerability in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the OLE2 parser when handling objects with malformed FAT partitions and large property sizes. This can be exploited to cause a DoS due to storage and CPU resource consumption by scanning a specially crafted OLE2 file.

Solution:
There is no known solution at this time.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-11 18:02:58 UTC
setting status, cc'ing herds, and waiting for upstream.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-30 12:56:05 UTC
adding CVE ref: CVE-2007-2650, still no solution from upstream.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-31 17:45:01 UTC
seems upstream fixed this in version 0.90.3 (see bug #180469).
maintainers, please advise and bump as necessary.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-01 06:01:04 UTC
*** Bug 180469 has been marked as a duplicate of this bug. ***
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-01 06:01:38 UTC
I'm not sure exactly what is fixed with this release. For once the Changelog is a bit vague. Maintainers please advise.
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-01 09:09:37 UTC
All these are fixed in 0.90.3:

    - libclamav/unsp.c: fix end of buffer calculation (bb#464, patch from aCaB)
 --> i can't see how this could be exploitable for something more severe than a DoS. See the patch here: https://wwws.clamav.net/bugzilla/attachment.cgi?id=338


    - libclamav/others.c: use strict permissions (0600) for temporary files
      created in cli_gentempstream() (bb#517). Reported by Christoph Probst.
 --> insecure creation of temporary file

    - libclamav/ole2_extract.c: detect block list loop (bb#466), patch from Trog
 --> DoS

    - libclamav/phishcheck.c: bb #497
 --> Hang on Solaris

    - libclamav/unrar/unrar.c: Bug #521, #368
 --> heap corruption, DoS (apparently non exploitable for code injection)


Maintainer(s), please bump 0.90.3 if possible, thanks.
Comment 7 Andrej Kacian (RETIRED) gentoo-dev 2007-06-01 20:15:11 UTC
0.90.3 has been in the tree shortly after the release. I merely judged (from the ChangeLog, as well as from lack of any other updates on this elsewhere) that the particular OLE2 vulnerability is not addressed.
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-02 14:20:26 UTC
Thx for the clarification Ticho.

Arches please test and mark stable. Target keywords are:

clamav-0.90.3.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 9 Christoph Mende (RETIRED) gentoo-dev 2007-06-02 14:49:22 UTC
amd64 done
Comment 10 Emanuele Gentili 2007-06-02 14:52:18 UTC
1. emerges on x86
2. passes test suite
3. passes collision test
4. works

Portage 2.1.2.7 (default-linux/x86/2006.1, gcc-4.1.2, glibc-2.5-r3,
2.6.17-gentoo-r8-panic i686)
=================================================================
System uname: 2.6.17-gentoo-r8-panic i686 Intel(R) Pentium(R) M processor
2.00GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 02 Jun 2007 14:00:01 +0000
ccache version 2.4 [disabled]
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse
-fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse
-fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox
sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="it_IT.UTF-8"
LC_ALL="C"
LINGUAS="it"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/webapps-experimental
/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi adns alsa apache arts asf ati avi bash-completion beagle
berkdb bitmap-fonts browserplugin bzip2 cairo caps cdr cli cracklib crd crypt
cups curl daap dbus dga djvu dmi dri dts dvd dvdr dvi emacs evo exif fbcon
ffmpeg firefox flac foomatic fortran gdbm gif gimpprint glitz gnome gnutls gpm
gtk hal i810 iconv imagemagick intel ipod ipv6 isdnlog java jpeg kde libg++
libnotify libsexy lns mad midi mmap mmx mng mono mozilla moznocompose moznoirc
moznomail mozsvg mp3 mp4 mpeg mudflap musepack nautilus ncurses network njb nls
nptl nptlonly nsplugin numeric ogg ole opengl openmp openntpd oss pam pcre pdf
perl php png portaudio posix ppds pppd pwdb python qt qt3 radeon readline real
reflection samba sdl session sndfile spl sse sse2 ssl svg t1lib tcpd test
theora threads truetype-fonts type1-fonts unicode usb v4l vcd vorbis
win32codecs wma wmf wmv wxwindows x264 x86 xine xml2 xorg xvid zlib"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1
emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m
maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" LINGUAS="it" USERLAND="GNU" VIDEO_CARDS="vesa i810 vga"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

For me Stable in x86
Comment 11 Jeroen Roovers gentoo-dev 2007-06-02 15:22:29 UTC
Stable for HPPA.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-06-02 16:03:32 UTC
alpha/ia64/x86 stable
Comment 13 René Nussbaumer (RETIRED) gentoo-dev 2007-06-02 20:11:56 UTC
stable on ppc.
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2007-06-03 10:35:40 UTC
ppc64 stable
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-04 12:34:57 UTC
sparc stable.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-04 12:48:03 UTC
This one is ready for GLSA decision. I tend to vote NO.
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-04 14:55:53 UTC
I tend to vote NO too.
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-07 21:21:10 UTC
ClamAV DoS means MTA DoS, which is evil. I fully vote Yes.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-08 06:17:11 UTC
Amavisd-new does indeed pull this in.

Changing my vote to full YES.
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-10 17:54:42 UTC
(In reply to comment #7)
> 0.90.3 has been in the tree shortly after the release. I merely judged (from
> the ChangeLog, as well as from lack of any other updates on this elsewhere)
> that the particular OLE2 vulnerability is not addressed.
> 

AFAICT the OLE2 vulnerability, clamav bug #466 [1], is fixed in 0.9.3 (patch by Thomasz Kojm, Tue May 29 17:42:12 CEST 2007 [2] )

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=466
http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
Comment 21 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-15 17:24:31 UTC
GLSA 200706-05