Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 236665 (CVE-2008-1389) - app-antivirus/clamav < 0.94 Multiple DoS issues (CVE-2008-{1389,3912,3913,3914})
Summary: app-antivirus/clamav < 0.94 Multiple DoS issues (CVE-2008-{1389,3912,3913,3914})
Status: RESOLVED FIXED
Alias: CVE-2008-1389
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/31725/
Whiteboard: B3 [glsa]
Keywords:
Depends on: 236838
Blocks:
  Show dependency tree
 
Reported: 2008-09-04 08:51 UTC by Stefan Behte (RETIRED)
Modified: 2008-09-25 21:37 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-09-04 08:51:05 UTC
We need 0.94 in the tree!

A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in libclamav/chmunpack.c when processing malformed CHM files. This can be exploited to cause an invalid memory access via a specially crafted CHM file.

The vulnerability is reported in versions prior to 0.94. Other versions may also be affected.

Note: Various other issues, where some may be security related, were also fixed.

Sources:
http://secunia.com/advisories/31725/
http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
Comment 1 Hanno Böck gentoo-dev 2008-09-04 14:48:48 UTC
I was the guy finding this vuln.

It isn't that critical, the vulnerable module has been remotely disabled on 0.93 installations.
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2008-09-04 14:58:36 UTC
Regular update, then.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-09-04 18:08:55 UTC
Remotely disabled?! I do not understand how you mean that.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2008-09-04 18:28:35 UTC
Sorry for the Bugspam, I found this:

"The clamav team has disabled the chm module in older versions though freshclam 
updates and has released 0.94 with a fixed parser."
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-04 18:44:51 UTC
(In reply to comment #2)
> Regular update, then.
> 

I don't quite agree. Although the module has been disabled, the vulnerability still exists (it even has a CVE!) and, as far as I can tell, users who don't use freshclam may still be affected. So assigning to security.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-05 19:44:21 UTC
I just committed =app-antivirus/clamav-0.94.
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-05 20:36:24 UTC
(In reply to comment #6)
> I just committed =app-antivirus/clamav-0.94.
> 

Thanks. Arches, please test and mark stable. Target keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 8 Richard Freeman gentoo-dev 2008-09-06 11:54:03 UTC
amd64 stable
Comment 9 Markus Meier gentoo-dev 2008-09-06 12:32:18 UTC
testsuite fails here (on x86):
Running suite(s): cl_api
 cli
 jsnorm
 str
 regex
 disasm
 unique
 matchers
100%: Checks: 205, Failures: 0, Errors: 0
PASS: check_clamav
PASS: check_clamd.sh
PASS: check_freshclam.sh
PASS: check_sigtool.sh
PASS: check_clamscan.sh
Running valgrind
*** Valgrind test FAILED, memory LEAKS detected ***

==2518== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 25 from 2)
0 invalid reads
0 invalid writes
0 invalid frees
0 uses of uninitialized values
==2518==    definitely lost: 0 bytes in 0 blocks.
==2518==      possibly lost: 0 bytes in 0 blocks.
==2518==    still reachable: 20 bytes in 1 blocks.
==2518== FILE DESCRIPTORS: 3 open at exit.

FAIL: valgrind_tests.sh
========================================
1 of 6 tests failed
Please report to http://bugs.clamav.net/
========================================
make[2]: *** [check-TESTS] Error 1
make[2]: Leaving directory `/var/tmp/portage/app-antivirus/clamav-0.94/work/clamav-0.94/unit_tests'
make[1]: *** [check-am] Error 2
make[1]: Leaving directory `/var/tmp/portage/app-antivirus/clamav-0.94/work/clamav-0.94/unit_tests'
make: *** [check-recursive] Error 1
 * 
 * ERROR: app-antivirus/clamav-0.94 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_test
 *             environment, line 2922:  Called die
 * The specific snippet of code:
 *               hasq test $FEATURES && die "Make check failed. See above for details.";
 *  The die message:
 *   Make check failed. See above for details.

app-antivirus/clamav-0.94 USE="bzip2 crypt iconv nls -mailwrapper -milter (-selinux)"

Portage 2.1.4.4 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.26.3 i686)
=================================================================
System uname: 2.6.26.3 i686 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz
Timestamp of tree: Fri, 05 Sep 2008 21:00:01 +0000
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.5.2-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
PKGDIR="/mnt/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl acpi alsa apache2 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus doc dri dvd dvdr dvdread eds emboss encode esd evo examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session source spell spl ssl startup-notification svg sysfs tcpd test tiff truetype unicode usb vorbis win32codecs x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 10 Brent Baude (RETIRED) gentoo-dev 2008-09-06 13:09:36 UTC
same failure here.


baudequad clamav # emerge --info
Portage 2.1.4.4 (default-linux/ppc/ppc64/2007.0/32bit-userland/desktop/970/pmac, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r3-g5-64 ppc64)
=================================================================
System uname: 2.6.24-gentoo-r3-g5-64 ppc64 PPC970MP, altivec supported
Timestamp of tree: Sat, 06 Sep 2008 12:20:01 +0000
distcc 2.18.3 powerpc-unknown-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r13, 2.5.2-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="ppc"
CBUILD="powerpc-unknown-linux-gnu"
CFLAGS="-O2 -pipe -mtune=970 -mcpu=970 -mabi=altivec"
CHOST="powerpc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -mtune=970 -mcpu=970 -mabi=altivec"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig cvs digest distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://beavis/ http://butthead http://electra http://gentoo.mirrors.tds.net/gentoo"
LINGUAS="en"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/x11 /usr/portage/local/layman/powerpc"
SYNC="rsync://butthead/gentoo-portage"
USE="X acl alsa altivec arts avahi berkdb cairo cdr cli cracklib crypt ctype cups curl dbus dri dvd dvdr eds emboss encode esd fam firefox fortran ftp gcc64 gdbm gif gnome gpm gstreamer gtk hal iconv imap ipv6 isdnlog jpeg kde kerberos ldap libnotify mad meanwhile midi mikmod mp3 mpeg msn mudflap mysql ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png ppc pppd python qt3 qt3support qt4 quicktime readline reflection samba sdl session sockets spell spl ssl tcpd truetype unicode vorbis xinerama xml xorg xv zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard evdev mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="nv"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 11 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2008-09-06 14:44:41 UTC
My alpha stable chroot passed all tests and I marked the ebuild as stable.

Valgrind does not work on alpha, so I couldn't saw the failling tests before. I will keep an eye on the bug to follow if the errors in other arches are critical.
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-06 15:25:14 UTC
Stable for HPPA.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-06 19:56:16 UTC
==11476== 32 bytes in 1 blocks are still reachable in loss record 1 of 1
==11476==    at 0x4C2048C: calloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==11476==    by 0x64C939A: (within /lib64/libdl-2.6.1.so)
==11476==    by 0x64C917C: dlvsym (in /lib64/libdl-2.6.1.so)
==11476==    by 0x4E27611: (within /usr/lib64/libsandbox.so.0.0.0)
==11476==    by 0x4E277D9: (within /usr/lib64/libsandbox.so.0.0.0)
==11476==    by 0x4E2A730: (within /usr/lib64/libsandbox.so.0.0.0)
==11476==    by 0x4E2799A: (within /usr/lib64/libsandbox.so.0.0.0)
==11476==    by 0x4E27AD6: (within /usr/lib64/libsandbox.so.0.0.0)
==11476==    by 0x4E27ECE: (within /usr/lib64/libsandbox.so.0.0.0)
==11476==    by 0x4E28D12: (within /usr/lib64/libsandbox.so.0.0.0)
==11476==    by 0x4E2A2A7: fopen (in /usr/lib64/libsandbox.so.0.0.0)
==11476==    by 0x5D6EFFF: srunner_open_lfile (in /usr/lib64/libcheck.so.0.0.0)
==11476== 
==11476== LEAK SUMMARY:
==11476==    definitely lost: 0 bytes in 0 blocks.
==11476==      possibly lost: 0 bytes in 0 blocks.
==11476==    still reachable: 32 bytes in 1 blocks.
==11476==         suppressed: 0 bytes in 0 blocks.

The test failure is compile-time only, i.e. when running within sandbox (FEATURES="sandbox"). Otherwise tests pass. Therefore it should be safe to ignore this test failure.
Comment 14 Markus Meier gentoo-dev 2008-09-07 13:12:35 UTC
x86 stable
Comment 15 Friedrich Oslage (RETIRED) gentoo-dev 2008-09-07 13:31:06 UTC
sparc stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2008-09-08 16:47:51 UTC
ia64 stable
Comment 17 Brent Baude (RETIRED) gentoo-dev 2008-09-08 16:57:50 UTC
ppc and ppc64 done
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-11 17:36:15 UTC
Ready for vote, I vote YES.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-09-12 12:56:18 UTC
CVE-2008-1389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1389):
  libclamav/chmunpack.c in the chm-parser in ClamAV before 0.94 allows
  remote attackers to cause a denial of service (application crash) via
  a malformed CHM file, related to an "invalid memory access."

CVE-2008-3912 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3912):
  libclamav in ClamAV before 0.94 allows attackers to cause a denial of
  service (NULL pointer dereference and application crash) via vectors
  related to an out-of-memory condition.

CVE-2008-3913 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3913):
  Multiple memory leaks in freshclam/manager.c in ClamAV before 0.94
  might allow attackers to cause a denial of service (memory
  consumption) via unspecified vectors related to the "error path."

CVE-2008-3914 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3914):
  Multiple unspecified vulnerabilities in ClamAV before 0.94 have
  unknown impact and attack vectors related to file descriptor leaks on
  the "error path" in (1) libclamav/others.c and (2) libclamav/sis.c.
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-18 21:57:51 UTC
yes too, request filed.
Comment 21 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-25 21:37:08 UTC
GLSA 200809-18