Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 265545 (CVE-2009-1371) - <app-antivirus/clamav-0.95.1: stack smash attack and crash with malformed upack file (CVE-2009-{1371,1372}
Summary: <app-antivirus/clamav-0.95.1: stack smash attack and crash with malformed upa...
Status: RESOLVED FIXED
Alias: CVE-2009-1371
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
: CVE-2009-1372 (view as bug list)
Depends on: 264836 264842 264852
Blocks: CVE-2009-1241
  Show dependency tree
 
Reported: 2009-04-09 12:44 UTC by Hanno Böck
Modified: 2009-09-09 13:32 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alan Hourihane 2009-04-16 08:05:30 UTC
we should ask for stabilization of 0.95.1
Comment 2 Hanno Böck gentoo-dev 2009-04-16 08:21:13 UTC
cc-ing archs.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-16 08:40:19 UTC
setting whiteboard
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 08:41:52 UTC
did maintainers agree to stabling?
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-16 08:50:18 UTC
(In reply to comment #4)
> did maintainers agree to stabling?
> 

I asked on bug 264834 already for 0.95, but didn't get an answer.
Bottom line, bug 264820 and bug 264836 might block stabling.
Comment 6 Thomas Raschbacher gentoo-dev 2009-04-16 13:00:11 UTC
as far as I'm concerned it can be marked stable, but what about the bugs which block 0.95* .. do we wait for them or not?
Comment 7 Thomas Raschbacher gentoo-dev 2009-04-16 13:06:25 UTC
adding blockers .. duno if we should just push this one to stable first anyway or not .. your call security@g.o ;)
Comment 8 Torsten Veller (RETIRED) gentoo-dev 2009-04-16 13:34:48 UTC
(In reply to comment #6)
> as far as I'm concerned it can be marked stable, but what about the bugs which
> block 0.95* .. do we wait for them or not?

bug 264836 :
Nothing in the tree depends on dev-perl/ClamAV. It is broken after each clamav bump. So i guess every user knows that it is broken most of time.

bug 264842 :
Nothing depends on dev-python/pyclamav.
Comment 9 Thomas Raschbacher gentoo-dev 2009-04-16 14:42:19 UTC
then in that case i did fix the only real blocker just now by sorting uclibc problem out .. :D
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-16 16:09:59 UTC
Stable for HPPA.
Comment 11 Markus Meier gentoo-dev 2009-04-18 10:58:16 UTC
this will also break klamav

i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I/usr/kde/3.5/include -I/usr/qt/3/include -I.  -I/usr/kde/3.5/include  -DQT_THREAD_SUPPORT  -D_REENTRANT  -DNDEBUG -O2  -O2 -march=i686 -pipe -c options.c
clamdmail.c: In function 'clamdscan':
clamdmail.c:99: error: storage size of 'limits' isn't known
clamdmail.c:164: error: 'CL_EIO' undeclared (first use in this function)
clamdmail.c:164: error: (Each undeclared identifier is reported only once
clamdmail.c:164: error: for each function it appears in.)
clamdmail.c:183: warning: passing argument 2 of 'cl_load' from incompatible pointer type
clamdmail.c:204: error: invalid application of 'sizeof' to incomplete type 'struct cl_limits' 
clamdmail.c:214: error: 'CL_ARCHIVE' undeclared (first use in this function)
clamdmail.c:214: error: 'CL_MAIL' undeclared (first use in this function)
clamdmail.c:214: error: 'CL_OLE2' undeclared (first use in this function)
clamdmail.c:214: error: too many arguments to function 'cl_scandesc'
make[3]: *** [clamdmail.o] Error 1
make[3]: *** Waiting for unfinished jobs....
make[3]: Leaving directory `/var/tmp/portage/app-antivirus/klamav-0.44/work/klamav-0.44-source/klamav-0.44/src/klammail'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/var/tmp/portage/app-antivirus/klamav-0.44/work/klamav-0.44-source/klamav-0.44/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/tmp/portage/app-antivirus/klamav-0.44/work/klamav-0.44-source/klamav-0.44'
make: *** [all] Error 2
Comment 12 Roland Ramthun 2009-04-21 11:33:32 UTC
Hi, what is the state of this bug?

The current stable version of ClamAV is vulnerable to DOS (see #264834) and possibly executes code via a buffer overflow (this bug, http://www.vupen.com/english/advisories/2009/0985 classified this as critical).

The only blocker for stabilization seems to be #264952, but should be a logging problem only (cf. Comment  #8).
Comment 13 Thomas Raschbacher gentoo-dev 2009-04-22 06:23:18 UTC
As far as i'm concerned the clamav-milter bug is not reallz a blocker and can be ignored as far as this security bump goes.
Comment 14 Tobias Klausmann (RETIRED) gentoo-dev 2009-04-22 17:29:47 UTC
Stable on alpha.
Comment 15 Brent Baude (RETIRED) gentoo-dev 2009-04-23 14:34:43 UTC
Where are we here.  What about the problem cited in comment #11.  If we want to proceed, can someone put a definitive stabilize foo-x.y.z in here.
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-23 16:48:44 UTC
*** Bug 267246 has been marked as a duplicate of this bug. ***
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-23 16:49:09 UTC
CVE-2009-1371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1371):
  The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before
  0.95.1 allows remote attackers to cause a denial of service
  (application crash) via a malformed file with UPack encoding.

Comment 18 Richard Freeman gentoo-dev 2009-05-16 11:32:02 UTC
Considering that it wouldn't be an uncommon scenario to pipe all incoming mail through clamav, and this is a remote execution vulnerability, this seems like something that should be resolved immediately.

What is the opinion of the maintainer on comment 11?  Is it ok to stabilize this?
Comment 19 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-17 08:16:05 UTC
There we go, all packages depending on clamav should be ready for 0.95 now (took the liberty to fix pyclamav *cough*). (also cc'ing maintainers of depending packages, please speak up soonish if one of the listed packages isn't ready to be stabilized *now*)

Therefore we need to stabilize:

=app-antivirus/clamav-0.95.1 itself.

plus for amd64 sparc ia64 x86:

=dev-perl/Mail-ClamAV-0.29

and for ppc amd64 ppc64 sparc x86:

=app-antivirus/klamav-0.46

and for x86 only:

=dev-python/pyclamav-0.4.1-r1
Comment 20 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2009-05-17 15:40:19 UTC
As Tobias listed in the above comment, klamav was bumped on bug 264887 to 0.4.6 which supports clamav-0.95.1.
Comment 21 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-18 15:46:47 UTC
x86 stable
Comment 22 Brent Baude (RETIRED) gentoo-dev 2009-05-18 19:44:51 UTC
ppc64 done
Comment 23 Brent Baude (RETIRED) gentoo-dev 2009-05-18 19:44:58 UTC
ppc done
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2009-05-21 18:19:22 UTC
ia64/sparc stable
Comment 25 Markus Meier gentoo-dev 2009-05-23 10:27:26 UTC
amd64 stable, all arches done.
Comment 26 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-01 22:31:24 UTC
All arches done, ready for vote. I vote YES.
Comment 27 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 21:51:12 UTC
Yes, too. Someone already filed a request. ;)
Comment 28 Alan Hourihane 2009-09-07 15:20:46 UTC
Shouldn't this be closed now ??
Comment 29 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-09 13:32:04 UTC
GLSA 200903-04
Comment 30 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-09 13:32:57 UTC
err, GLSA 200909-04