[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#774820: marked as done (wheezy-pu: clamav/0.98.5+dfsg-0+deb7u3)



Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <1441460034.2151.33.camel@adam-barratt.org.uk>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #774820,
regarding wheezy-pu: clamav/0.98.5+dfsg-0+deb7u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774820: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774820
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team:

I'd like to update the clamav package in Wheezy with the following change:
|   * add "mspack-fix-division-by-zero-in-chm-format-handling" to fix divide
|     by zero in the chm unpacked. Found & patch by Jakub Wilk (Closes: #774766).
|   * add "mspack-fix-overflow-in-pointer-arithmetic-on-32bit" to avoid overflow
|     in pointer arithmetic causing a segfault on 32bit (Closes: #774767).

There are two equivalent bugs open against libmspack which is Jessie+
only.
Attaching a slightly edited .debdiff (the pointless index changes have
been removed).

Sebastian
diff -Nru clamav-0.98.5+dfsg/debian/changelog clamav-0.98.5+dfsg/debian/changelog
--- clamav-0.98.5+dfsg/debian/changelog	2015-01-04 00:41:33.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/changelog	2015-01-07 21:59:47.000000000 +0100
@@ -1,3 +1,12 @@
+clamav (0.98.5+dfsg-0+deb7u3) stable; urgency=medium
+
+  * add "mspack-fix-division-by-zero-in-chm-format-handling" to fix divide
+    by zero in the chm unpacked. Found & patch by Jakub Wilk (Closes: #774766).
+  * add "mspack-fix-overflow-in-pointer-arithmetic-on-32bit" to avoid overflow
+    in pointer arithmetic causing a segfault on 32bit (Closes: #774767).
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 07 Jan 2015 21:56:21 +0100
+
 clamav (0.98.5+dfsg-0+deb7u2) stable; urgency=medium
 
   * Add "libmspack-qtmd-fix-frame_end-overflow" to avoid endless-loop on
diff -Nru clamav-0.98.5+dfsg/debian/.git-dpm clamav-0.98.5+dfsg/debian/.git-dpm
--- clamav-0.98.5+dfsg/debian/.git-dpm	2015-01-04 00:41:33.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/.git-dpm	2015-01-07 21:59:47.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-a0449d2079c4ba5822e6567ad7094c10108f16cd
-a0449d2079c4ba5822e6567ad7094c10108f16cd
+1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830
+1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830
 14c3d5ca803fd6baa5ab413e87ca6d6bb2e26a3d
 14c3d5ca803fd6baa5ab413e87ca6d6bb2e26a3d
 clamav_0.98.5+dfsg.orig.tar.xz
diff -Nru clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
--- clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch	1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch	2015-01-07 21:59:48.000000000 +0100
@@ -0,0 +1,30 @@
+From c673c5b4aabdd1d71fe9cc2df67f394e6038404d Mon Sep 17 00:00:00 2001
+From: Jakub Wilk <jwilk@debian.org>
+Date: Wed, 7 Jan 2015 14:05:38 +0100
+Subject: mspack: fix division by zero in chm format handling
+
+Fix division by 0 error found by special crated .chm by AFL.
+
+BTS:
+	https://bugs.debian.org/774725
+	https://bugs.debian.org/774766
+
+[bigeasy: patch description]
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ libclamav/libmspack-0.4alpha/mspack/chmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libclamav/libmspack-0.4alpha/mspack/chmd.c b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+index 19dc47b..005c930 100644
+--- a/libclamav/libmspack-0.4alpha/mspack/chmd.c
++++ b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+@@ -1123,7 +1123,7 @@ static int chmd_init_decomp(struct mschm_decompressor_p *self,
+   }
+ 
+   /* validate reset_interval */
+-  if (reset_interval % LZX_FRAME_SIZE) {
++  if (reset_interval % LZX_FRAME_SIZE || !reset_interval) {
+     D(("bad controldata reset interval"))
+     return self->error = MSPACK_ERR_DATAFORMAT;
+   }
diff -Nru clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
--- clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch	1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch	2015-01-07 21:59:48.000000000 +0100
@@ -0,0 +1,63 @@
+From 1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Wed, 7 Jan 2015 21:31:36 +0100
+Subject: mspack: fix overflow in pointer arithmetic on 32bit
+
+There are two checks to ensure that the encoded length of the file name does not
+exceed the length of the memory where it is stored. That check is written as
+	p + name_len > end
+
+in general it works. On 32bit architectures it is possible that a large name_len
+overflows and p + name_len is less than p and therefore also less than end and
+the check does not catch it.
+Jakub rewrote the check as
+	name_len > end - p
+
+so name_len is compared against the remaining space in the memory chunk.
+
+Additionally Jakub added a check to chmd_read_headers() to avoid accessing
+name[name_len - 1] if it would overflow.
+
+BTS:
+	https://bugs.debian.org/774726
+	https://bugs.debian.org/774767
+
+[bigeasy: patch description]
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ libclamav/libmspack-0.4alpha/mspack/chmd.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/libclamav/libmspack-0.4alpha/mspack/chmd.c b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+index 005c930..c38ac92 100644
+--- a/libclamav/libmspack-0.4alpha/mspack/chmd.c
++++ b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+@@ -445,7 +445,9 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,
+     num_entries = EndGetI16(end);
+ 
+     while (num_entries--) {
+-      READ_ENCINT(name_len); name = p; p += name_len;
++      READ_ENCINT(name_len);
++      if (name_len > end - p) goto chunk_end;
++      name = p; p += name_len;
+       READ_ENCINT(section);
+       READ_ENCINT(offset);
+       READ_ENCINT(length);
+@@ -746,7 +748,7 @@ static int search_chunk(struct mschmd_header *chm,
+ 	    /* compare filename with entry QR points to */
+ 	    p = &chunk[entries_off + (M ? EndGetI16(start - (M << 1)) : 0)];
+ 	    READ_ENCINT(name_len);
+-	    if (p + name_len > end) goto chunk_end;
++	    if (name_len > end - p) goto chunk_end;
+ 	    cmp = compare(filename, (char *)p, fname_len, name_len);
+ 
+ 	    if (cmp == 0) break;
+@@ -783,7 +785,7 @@ static int search_chunk(struct mschmd_header *chm,
+     *result = NULL;
+     while (num_entries-- > 0) {
+ 	READ_ENCINT(name_len);
+-	if (p + name_len > end) goto chunk_end;
++	if (name_len > end - p) goto chunk_end;
+ 	cmp = compare(filename, (char *)p, fname_len, name_len);
+ 	p += name_len;
+ 
diff -Nru clamav-0.98.5+dfsg/debian/patches/series clamav-0.98.5+dfsg/debian/patches/series
--- clamav-0.98.5+dfsg/debian/patches/series	2015-01-04 00:41:33.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/patches/series	2015-01-07 21:59:48.000000000 +0100
@@ -16,3 +16,5 @@
 0016-Bump-.so-version-number.patch
 0017-llvm-don-t-use-system-libs.patch
 0018-libmspack-qtmd-fix-frame_end-overflow.patch
+0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
+0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch

--- End Message ---
--- Begin Message ---
Version: 7.9

Hi,

These bugs relate to updates which were included in the 7.9 point
release.

Regards,

Adam

--- End Message ---

Reply to: