Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628194 - <app-antivirus/clamav-0.101.0: multiple vulnerabilities through embedded/forked UnRAR version (CVE-2017-{12940,12941,12942})
Summary: <app-antivirus/clamav-0.101.0: multiple vulnerabilities through embedded/fork...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-12940, CVE-2017-12941, CVE-2017-12942
  Show dependency tree
 
Reported: 2017-08-18 15:07 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-13 18:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-08-18 15:07:55 UTC
CVE-2017-12940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12940):
  libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
  EncodeFileName::Decode call within the Archive::ReadHeader15 function.

CVE-2017-12941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12941):
  libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
  Unpack::Unpack20 function.

CVE-2017-12942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12942):
  libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ
  function.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-08-18 15:09:46 UTC
Please see the tracker bug 628178 for more details.

It isn't clear at the moment if ClamAV's own libunrar is affected or not.
Comment 2 Thomas Raschbacher gentoo-dev 2018-07-12 05:42:19 UTC
good question ..

on the blog they mention this:

Buffer over-read in unRAR code due to missing max value checks in table initialization. Reported by Rui Reis.

(Section Fixes for a few additional bugs)

and i found this: -- no clue if that is it:
https://github.com/Cisco-Talos/clamav-devel/commit/d2aa492c7f9c3560f6421be0bd81d72c55fd1081
https://github.com/Cisco-Talos/clamav-devel/commit/65ed9df7f1a635ca7dd1799d656d805eab86158d
Comment 3 Sam James gentoo-dev Security 2020-03-15 03:39:35 UTC
(In reply to Thomas Raschbacher from comment #2)
> good question ..
> 
> on the blog they mention this:
> 
> Buffer over-read in unRAR code due to missing max value checks in table
> initialization. Reported by Rui Reis.
> 
> (Section Fixes for a few additional bugs)
> 
> and i found this: -- no clue if that is it:
> https://github.com/Cisco-Talos/clamav-devel/commit/
> d2aa492c7f9c3560f6421be0bd81d72c55fd1081
> https://github.com/Cisco-Talos/clamav-devel/commit/
> 65ed9df7f1a635ca7dd1799d656d805eab86158d

Note that 0.101.0 [0] has replaced the old unrar lib:
>Support for RAR v5 archive extraction! 
>We replaced the legacy C-based unrar implementation with RarLabs UnRAR 5.6.5 library.
>Licensing is the same as before, although our libclamunrar_iface supporting library has changed from LGPL to the BSD 3-Clause license.

[0] https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html
Comment 4 John Helmert III (ajak) 2020-06-12 05:56:49 UTC
(In reply to Sam James (sec padawan) from comment #3)
> Note that 0.101.0 [0] has replaced the old unrar lib:
> >Support for RAR v5 archive extraction! 
> >We replaced the legacy C-based unrar implementation with RarLabs UnRAR 5.6.5 library.
> >Licensing is the same as before, although our libclamunrar_iface supporting library has changed from LGPL to the BSD 3-Clause license.
> 
> [0] https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html

UnRAR 5.6.5 was never a vulnerable version and we only have ClamAV newer than 0.101.0 in the tree, so we should be good here as far as ClamAV is concerned, right?
Comment 5 Sam James gentoo-dev Security 2020-06-13 18:37:40 UTC
(In reply to John Helmert III (ajak) from comment #4)
> UnRAR 5.6.5 was never a vulnerable version and we only have ClamAV newer
> than 0.101.0 in the tree, so we should be good here as far as ClamAV is
> concerned, right?

ClamAV stopped shipping the vulnerable one in late 2018 with the fixed 0.101.0.

Cleanup done early 2019: https://gitweb.gentoo.org/repo/gentoo.git/commit/app-antivirus/clamav?id=c12ddccad01d344a1b5b5ed9d5b2a0f3be9a8717.

So yep!