Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 387521 - <app-antivirus/clamav-0.97.3: recursion level crash (CVE-2011-3627)
Summary: <app-antivirus/clamav-0.97.3: recursion level crash (CVE-2011-3627)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-18 10:37 UTC by Hanno Böck
Modified: 2011-11-18 06:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2011-10-18 10:37:29 UTC
Sadly, clamav doesn't issue security advisories since a long time.

According to ChangeLog, this sounds like a security issue:
 * libclamav/bytecode.c,bytecode_api.c: fix recursion level crash (bb #3706).

Upstream bug is invisible to the public. I'll request a CVE on oss-security.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-10-18 14:48:13 UTC
Thanks, Hanno.

@net-mail or @antivirus, 0.97.3 is already in the tree. Ok to stabilize it?
Comment 2 Tim Harder gentoo-dev 2011-10-18 16:47:32 UTC
(In reply to comment #1)
> Thanks, Hanno.
> 
> @net-mail or @antivirus, 0.97.3 is already in the tree. Ok to stabilize it?

Yes, arches go ahead.
Comment 3 Agostino Sarubbo gentoo-dev 2011-10-18 17:00:12 UTC
Arches, please test and mark stable:

=app-antivirus/clamav-0.97.3
target KEYWORDS : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-10-18 22:38:41 UTC
looks perfect on a server, amd64 ok
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-19 09:21:20 UTC
Stable for HPPA.
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2011-10-19 10:45:43 UTC
amd64:

all ok
Comment 7 Tony Vroon gentoo-dev 2011-10-19 11:06:24 UTC
+  19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> clamav-0.97.3.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #387521.
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-22 07:18:52 UTC
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-10-22 11:57:20 UTC
alpha/ia64/sparc stable
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-22 19:08:10 UTC
We'll need toc workaround[1] for ppc64 before stabilizing, you're ok if I add it?
I'm pretty sure it wasn't needed before :/

[1] use ppc64 && append-flags -mminimal-toc
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-23 08:24:34 UTC
ppc/ppc64 stable, last arch done
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-10-23 14:34:33 UTC
Thanks, everyone. Added to pending GLSA request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-23 14:59:36 UTC
This issue was resolved and addressed in
 GLSA 201110-20 at http://security.gentoo.org/glsa/glsa-201110-20.xml
by GLSA coordinator Tim Sammut (underling).
Comment 14 Nick Bowler 2011-10-24 02:28:16 UTC
The posted GLSA (http://www.gentoo.org/security/en/glsa/glsa-201110-20.xml)
says:

  Vulnerable version: < 0.97.3
  [...]
  NOTE: This is a legacy GLSA. Updates for all affected architectures are
  available since August 27, 2011. It is likely that your system is already no
  longer affected by this issue. 

Since 0.97.3 was added to the tree only 5 days ago, it seems impossible that
any updates were available on August 27, 2011.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-10-24 15:46:52 UTC
(In reply to comment #14)
> The posted GLSA (http://www.gentoo.org/security/en/glsa/glsa-201110-20.xml)
> says:
> 
>   Vulnerable version: < 0.97.3
>   [...]
>   NOTE: This is a legacy GLSA. Updates for all affected architectures are
>   available since August 27, 2011. It is likely that your system is already no
>   longer affected by this issue. 
> 
> Since 0.97.3 was added to the tree only 5 days ago, it seems impossible that
> any updates were available on August 27, 2011.

Thanks for letting me know, Nick. I have corrected the advisory and it should show up online shortly.

http://www.gentoo.org/security/en/glsa/glsa-201110-20.xml
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2011-11-18 06:19:20 UTC
CVE-2011-3627 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3627):
  The bytecode engine in ClamAV before 0.97.3 allows remote attackers to cause
  a denial of service (crash) via vectors related to "recursion level" and (1)
  libclamav/bytecode.c and (2) libclamav/bytecode_api.c.