We need 0.94 in the tree! A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in libclamav/chmunpack.c when processing malformed CHM files. This can be exploited to cause an invalid memory access via a specially crafted CHM file. The vulnerability is reported in versions prior to 0.94. Other versions may also be affected. Note: Various other issues, where some may be security related, were also fixed. Sources: http://secunia.com/advisories/31725/ http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
I was the guy finding this vuln. It isn't that critical, the vulnerable module has been remotely disabled on 0.93 installations.
Regular update, then.
Remotely disabled?! I do not understand how you mean that.
Sorry for the Bugspam, I found this: "The clamav team has disabled the chm module in older versions though freshclam updates and has released 0.94 with a fixed parser."
(In reply to comment #2) > Regular update, then. > I don't quite agree. Although the module has been disabled, the vulnerability still exists (it even has a CVE!) and, as far as I can tell, users who don't use freshclam may still be affected. So assigning to security.
I just committed =app-antivirus/clamav-0.94.
(In reply to comment #6) > I just committed =app-antivirus/clamav-0.94. > Thanks. Arches, please test and mark stable. Target keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
amd64 stable
testsuite fails here (on x86): Running suite(s): cl_api cli jsnorm str regex disasm unique matchers 100%: Checks: 205, Failures: 0, Errors: 0 PASS: check_clamav PASS: check_clamd.sh PASS: check_freshclam.sh PASS: check_sigtool.sh PASS: check_clamscan.sh Running valgrind *** Valgrind test FAILED, memory LEAKS detected *** ==2518== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 25 from 2) 0 invalid reads 0 invalid writes 0 invalid frees 0 uses of uninitialized values ==2518== definitely lost: 0 bytes in 0 blocks. ==2518== possibly lost: 0 bytes in 0 blocks. ==2518== still reachable: 20 bytes in 1 blocks. ==2518== FILE DESCRIPTORS: 3 open at exit. FAIL: valgrind_tests.sh ======================================== 1 of 6 tests failed Please report to http://bugs.clamav.net/ ======================================== make[2]: *** [check-TESTS] Error 1 make[2]: Leaving directory `/var/tmp/portage/app-antivirus/clamav-0.94/work/clamav-0.94/unit_tests' make[1]: *** [check-am] Error 2 make[1]: Leaving directory `/var/tmp/portage/app-antivirus/clamav-0.94/work/clamav-0.94/unit_tests' make: *** [check-recursive] Error 1 * * ERROR: app-antivirus/clamav-0.94 failed. * Call stack: * ebuild.sh, line 49: Called src_test * environment, line 2922: Called die * The specific snippet of code: * hasq test $FEATURES && die "Make check failed. See above for details."; * The die message: * Make check failed. See above for details. app-antivirus/clamav-0.94 USE="bzip2 crypt iconv nls -mailwrapper -milter (-selinux)" Portage 2.1.4.4 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.26.3 i686) ================================================================= System uname: 2.6.26.3 i686 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz Timestamp of tree: Fri, 05 Sep 2008 21:00:01 +0000 app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.5.2-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb /var/spool/torque" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1" PKGDIR="/mnt/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl acpi alsa apache2 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus doc dri dvd dvdr dvdread eds emboss encode esd evo examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session source spell spl ssl startup-notification svg sysfs tcpd test tiff truetype unicode usb vorbis win32codecs x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
same failure here. baudequad clamav # emerge --info Portage 2.1.4.4 (default-linux/ppc/ppc64/2007.0/32bit-userland/desktop/970/pmac, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r3-g5-64 ppc64) ================================================================= System uname: 2.6.24-gentoo-r3-g5-64 ppc64 PPC970MP, altivec supported Timestamp of tree: Sat, 06 Sep 2008 12:20:01 +0000 distcc 2.18.3 powerpc-unknown-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r13, 2.5.2-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="ppc" CBUILD="powerpc-unknown-linux-gnu" CFLAGS="-O2 -pipe -mtune=970 -mcpu=970 -mabi=altivec" CHOST="powerpc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe -mtune=970 -mcpu=970 -mabi=altivec" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig cvs digest distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://beavis/ http://butthead http://electra http://gentoo.mirrors.tds.net/gentoo" LINGUAS="en" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/x11 /usr/portage/local/layman/powerpc" SYNC="rsync://butthead/gentoo-portage" USE="X acl alsa altivec arts avahi berkdb cairo cdr cli cracklib crypt ctype cups curl dbus dri dvd dvdr eds emboss encode esd fam firefox fortran ftp gcc64 gdbm gif gnome gpm gstreamer gtk hal iconv imap ipv6 isdnlog jpeg kde kerberos ldap libnotify mad meanwhile midi mikmod mp3 mpeg msn mudflap mysql ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png ppc pppd python qt3 qt3support qt4 quicktime readline reflection samba sdl session sockets spell spl ssl tcpd truetype unicode vorbis xinerama xml xorg xv zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard evdev mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="nv" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
My alpha stable chroot passed all tests and I marked the ebuild as stable. Valgrind does not work on alpha, so I couldn't saw the failling tests before. I will keep an eye on the bug to follow if the errors in other arches are critical.
Stable for HPPA.
==11476== 32 bytes in 1 blocks are still reachable in loss record 1 of 1 ==11476== at 0x4C2048C: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==11476== by 0x64C939A: (within /lib64/libdl-2.6.1.so) ==11476== by 0x64C917C: dlvsym (in /lib64/libdl-2.6.1.so) ==11476== by 0x4E27611: (within /usr/lib64/libsandbox.so.0.0.0) ==11476== by 0x4E277D9: (within /usr/lib64/libsandbox.so.0.0.0) ==11476== by 0x4E2A730: (within /usr/lib64/libsandbox.so.0.0.0) ==11476== by 0x4E2799A: (within /usr/lib64/libsandbox.so.0.0.0) ==11476== by 0x4E27AD6: (within /usr/lib64/libsandbox.so.0.0.0) ==11476== by 0x4E27ECE: (within /usr/lib64/libsandbox.so.0.0.0) ==11476== by 0x4E28D12: (within /usr/lib64/libsandbox.so.0.0.0) ==11476== by 0x4E2A2A7: fopen (in /usr/lib64/libsandbox.so.0.0.0) ==11476== by 0x5D6EFFF: srunner_open_lfile (in /usr/lib64/libcheck.so.0.0.0) ==11476== ==11476== LEAK SUMMARY: ==11476== definitely lost: 0 bytes in 0 blocks. ==11476== possibly lost: 0 bytes in 0 blocks. ==11476== still reachable: 32 bytes in 1 blocks. ==11476== suppressed: 0 bytes in 0 blocks. The test failure is compile-time only, i.e. when running within sandbox (FEATURES="sandbox"). Otherwise tests pass. Therefore it should be safe to ignore this test failure.
x86 stable
sparc stable
ia64 stable
ppc and ppc64 done
Ready for vote, I vote YES.
CVE-2008-1389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1389): libclamav/chmunpack.c in the chm-parser in ClamAV before 0.94 allows remote attackers to cause a denial of service (application crash) via a malformed CHM file, related to an "invalid memory access." CVE-2008-3912 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3912): libclamav in ClamAV before 0.94 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an out-of-memory condition. CVE-2008-3913 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3913): Multiple memory leaks in freshclam/manager.c in ClamAV before 0.94 might allow attackers to cause a denial of service (memory consumption) via unspecified vectors related to the "error path." CVE-2008-3914 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3914): Multiple unspecified vulnerabilities in ClamAV before 0.94 have unknown impact and attack vectors related to file descriptor leaks on the "error path" in (1) libclamav/others.c and (2) libclamav/sis.c.
yes too, request filed.
GLSA 200809-18