Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 354019 (CVE-2011-1003) - <app-antivirus/clamav-0.97: double-free vulnerability (CVE-2011-1003)
Summary: <app-antivirus/clamav-0.97: double-free vulnerability (CVE-2011-1003)
Status: RESOLVED FIXED
Alias: CVE-2011-1003
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://git.clamav.net/gitweb?p=clamav...
Whiteboard: B1 [glsa]
Keywords:
: 355421 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-02-07 20:44 UTC by Marcin Mirosław
Modified: 2011-10-23 14:59 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
clamav-0.97.ebuild (clamav-0.97.ebuild,3.63 KB, text/plain)
2011-02-19 16:03 UTC, Bernd Lommerzheim
no flags Details
clamav-0.97-nls.patch (clamav-0.97-nls.patch,240 bytes, patch)
2011-02-19 16:03 UTC, Bernd Lommerzheim
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Mirosław 2011-02-07 20:44:13 UTC
There is new version.

Reproducible: Always
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2011-02-18 13:45:22 UTC
*** Bug 355421 has been marked as a duplicate of this bug. ***
Comment 2 Bernd Lommerzheim 2011-02-19 16:02:23 UTC
In the last days I worked on the ClamAV ebuild in my local overlay and I hope that these changes help to improve the ebuild in the portage tree. I will attach my clamav-0.97.ebuild (and a clamav-0.97-nls.patch) which has the following modifications:

** Do not install signatures anymore. This modification resolves problems while upgrading and reinstalling ClamAV. After upgrading from an older ebuild or installing a fresh install you have to manually download the newest signatures with /usr/bin/freshclam. Fixes Gentoo Bugs #336842 and #345965.
* Update ebuild to EAPI 4.
* Simplify ebuild for release candidates.
* Fix zlib dependency.
* Remove 'system set' dependencies for sys-apps/sed and sys-apps/grep. Mentioned in Gentoo Bug #345965.
* Remove unneeded 'ht_fix_file configure'.
* Install all bundled documentations.
* Remove old warning.
* Some stylistic changes.
Comment 3 Bernd Lommerzheim 2011-02-19 16:03:21 UTC
Created attachment 263047 [details]
clamav-0.97.ebuild
Comment 4 Bernd Lommerzheim 2011-02-19 16:03:42 UTC
Created attachment 263049 [details, diff]
clamav-0.97-nls.patch
Comment 5 Giampaolo Tomassoni 2011-02-19 18:48:47 UTC
It is good to know something is eventually moving around the app-antivirus/clamav package. I would like to plaud to Bernd's efforts respect to this.

Hope this will result in a prompt availability of the 0.97 version to Gentoo users!
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-21 18:07:50 UTC
It may be a security issue according to http://comments.gmane.org/gmane.comp.security.oss.general/4227

Maintainers, please do the version bump.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-02-22 04:32:54 UTC
CVE-2011-1003 assigned per http://www.openwall.com/lists/oss-security/2011/02/21/4.
Comment 8 Tim Harder gentoo-dev 2011-02-22 10:24:07 UTC
In CVS.
Comment 9 Ylosar Goer 2011-02-22 12:12:02 UTC
Current stable portage (2.1.9.25) does not support EAPI4, does it means that we have to install unstable portage (and deps) to get the "possible" security fix in latest clamav ?

# emerge -va1 =app-antivirus/clamav-0.97
!!! One of the following masked packages is required to complete your request:
- app-antivirus/clamav-0.97 (masked by: EAPI 4)
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-22 13:16:30 UTC
That is of course unacceptable. Please provide an ebuild that is installable on stable gentoo.
Comment 11 Tim Harder gentoo-dev 2011-02-22 16:06:11 UTC
(In reply to comment #10)
> That is of course unacceptable. Please provide an ebuild that is installable on
> stable gentoo.

Oops, sorry. I thought about that but it slipped my mind when committing the ebuild changes.

I reverted the ebuild in CVS back to EAPI 2 like the rest of the clamav ebuilds.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-22 22:18:10 UTC
Thanks! :)
Comment 13 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-24 07:17:33 UTC
Secunia confirms the vulnerability: http://secunia.com/advisories/43392

Arches, please stabilize =app-antivirus/clamav-0.97
Comment 14 Agostino Sarubbo gentoo-dev 2011-02-24 12:13:39 UTC
works on amd64
Comment 15 Andreas Schürch gentoo-dev 2011-02-25 09:01:29 UTC
Tested on x86 also, looks good here!
Comment 16 Alex Buell 2011-02-25 09:56:40 UTC
Tested on SPARC, looks fine. clamscan works well. 
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2011-02-25 17:04:01 UTC
(In reply to comment #16)
> Tested on SPARC, looks fine. clamscan works well. 

Thanks. Stable for HPPA SPARC.
Comment 18 Brent Baude (RETIRED) gentoo-dev 2011-02-25 20:13:14 UTC
ppc done
Comment 19 Agostino Sarubbo gentoo-dev 2011-02-25 22:29:55 UTC
(In reply to comment #18)
> ppc done
> 

you forgot to remove ppc from CC list :)
Comment 20 Markos Chandras (RETIRED) gentoo-dev 2011-02-26 09:32:34 UTC
amd64 done. Thanks Agostino
Comment 21 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-26 09:47:10 UTC
ppc64 stable
Comment 22 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-26 11:42:30 UTC
x86 stable
Comment 23 Tobias Klausmann gentoo-dev 2011-02-26 20:03:55 UTC
Stable on alpha.
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2011-03-06 17:56:19 UTC
ia64 stable
Comment 25 Tim Sammut (RETIRED) gentoo-dev 2011-03-06 19:37:42 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 26 Marcin Mirosław 2011-03-07 08:53:12 UTC
Tahnks for new version.
Comment 27 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:03:37 UTC
CVE-2011-1003 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1003):
  Double free vulnerability in the vba_read_project_strings function in
  vba_extract.c in libclamav in ClamAV before 0.97 might allow remote
  attackers to execute arbitrary code via crafted Visual Basic for
  Applications (VBA) data in a Microsoft Office document.  NOTE: some of these
  details are obtained from third party information.
Comment 28 Tim Sammut (RETIRED) gentoo-dev 2011-10-14 23:51:22 UTC
Rerating B1 since clamav often runs in automated systems where it simply scans all email processed, i.e. no user action is required to be exploited.
Comment 29 GLSAMaker/CVETool Bot gentoo-dev 2011-10-23 14:59:25 UTC
This issue was resolved and addressed in
 GLSA 201110-20 at http://security.gentoo.org/glsa/glsa-201110-20.xml
by GLSA coordinator Tim Sammut (underling).