Bug#888552: stretch-pu: package clamav/0.99.2+dfsg-6+b1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal
Clamav released 0.99.3. Recently upstream decided to release 0.99.2.1 as
a security hostfix release only. However they then decided not to use a
four digit version but three as usually and so the security hotfix is
now 0.99.3.
In unstable we have 0.99.3~beta2 which was a pre-release of the upcomming
0.99.3 before they decided to release a security fix. So in unstable we
have a "beta2" which contains all the security fixes which are part of
their final 0.99.3 release.
Instead reverting all that stuff I prepared for the 0.99.3 I backported
the delta from 0.99.2..0.99.3 and prepared an incremental 0.99.2 release
for Stretch [0]. Clamav itself identifies as 0.99.3 because otherwise it
will complain about being too old.
Please find attached a debdiff. The official announcement is at [1].
If you prefer another way of dealing with this please let me know.
[0] A second pair of eyes wouldn't hurt, after all it is 2am here.
[1] http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
Sebastian
diff -Nru clamav-0.99.2+dfsg/debian/changelog clamav-0.99.2+dfsg/debian/changelog
--- clamav-0.99.2+dfsg/debian/changelog 2017-02-04 21:54:51.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/changelog 2018-01-27 00:33:28.000000000 +0100
@@ -1,3 +1,13 @@
+clamav (0.99.2+dfsg-6+deb9u1) stretch; urgency=medium
+
+ * Apply security patches from 0.99.3 (Closes: #888484):
+ - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
+ CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
+ CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
+ * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 27 Jan 2018 00:33:28 +0100
+
clamav (0.99.2+dfsg-6) unstable; urgency=medium
* Fix detection of curl. Patch by Reiner Herrmann <reiner@reiner-h.de>
diff -Nru clamav-0.99.2+dfsg/debian/.git-dpm clamav-0.99.2+dfsg/debian/.git-dpm
--- clamav-0.99.2+dfsg/debian/.git-dpm 2017-01-30 21:27:33.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/.git-dpm 2018-01-27 00:30:29.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-4a07f7933aad6b3f3e533fa69e5401d82415b319
-4a07f7933aad6b3f3e533fa69e5401d82415b319
+6d775ed287a80b1a7e26cff79a2519982267c66f
+6d775ed287a80b1a7e26cff79a2519982267c66f
48a96d2a3f0f4aca12f39f62a53fe1671a6e15a2
48a96d2a3f0f4aca12f39f62a53fe1671a6e15a2
clamav_0.99.2+dfsg.orig.tar.xz
diff -Nru clamav-0.99.2+dfsg/debian/libclamav7.symbols clamav-0.99.2+dfsg/debian/libclamav7.symbols
--- clamav-0.99.2+dfsg/debian/libclamav7.symbols 2017-01-30 21:27:31.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/libclamav7.symbols 2018-01-27 00:33:28.000000000 +0100
@@ -63,7 +63,7 @@
cl_load_cert@CLAMAV_PRIVATE 0.99.2
cl_load_crl@CLAMAV_PRIVATE 0.99.2
cl_retdbdir@CLAMAV_PUBLIC 0.99~rc1
- cl_retflevel@CLAMAV_PUBLIC 0.99.1
+ cl_retflevel@CLAMAV_PUBLIC 0.99.2+dfsg-6+deb9u1
cl_retver@CLAMAV_PUBLIC 0.99~rc1
cl_scandesc@CLAMAV_PUBLIC 0.99~rc1
cl_scandesc_callback@CLAMAV_PUBLIC 0.99~rc1
diff -Nru clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch
--- clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,75 @@
+From c9bcbeb72bd8966bec18e5c3ad8efd0409e712c5 Mon Sep 17 00:00:00 2001
+From: Micah Snyder <micasnyd@cisco.com>
+Date: Sun, 29 Oct 2017 17:35:00 -0400
+Subject: b11939: adding fix as recommended by bug reporter along with a couple
+ extra lines to ensure freed pointers are set to NULL.
+
+Patch-Name: b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch
+---
+ libclamav/mbox.c | 2 +-
+ libclamav/message.c | 4 +++-
+ libclamav/text.c | 10 +++++++---
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/libclamav/mbox.c b/libclamav/mbox.c
+index 96bdbd2..8e48bb7 100644
+--- a/libclamav/mbox.c
++++ b/libclamav/mbox.c
+@@ -2067,7 +2067,7 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re
+ * bother saving to scan, it's safe
+ */
+ saveIt = (bool)(encodingLine(mainMessage) != NULL);
+- else if((t_line = encodingLine(mainMessage)) != NULL) {
++ else if(mainMessage->body_last != NULL && (t_line = encodingLine(mainMessage)) != NULL) {
+ /*
+ * Some bounces include the message
+ * body without the headers.
+diff --git a/libclamav/message.c b/libclamav/message.c
+index 3856bfe..8afe800 100644
+--- a/libclamav/message.c
++++ b/libclamav/message.c
+@@ -1068,8 +1068,10 @@ messageMoveText(message *m, text *t, message *old_message)
+ for(u = old_message->body_first; u != t;) {
+ text *next;
+
+- if(u->t_line)
++ if(u->t_line) {
+ lineUnlink(u->t_line);
++ u->t_line = NULL;
++ }
+ next = u->t_next;
+
+ free(u);
+diff --git a/libclamav/text.c b/libclamav/text.c
+index 5c6e7ea..7d3c3a6 100644
+--- a/libclamav/text.c
++++ b/libclamav/text.c
+@@ -124,8 +124,10 @@ textDestroy(text *t_head)
+ {
+ while(t_head) {
+ text *t_next = t_head->t_next;
+- if(t_head->t_line)
+- (void)lineUnlink(t_head->t_line);
++ if(t_head->t_line) {
++ lineUnlink(t_head->t_line);
++ t_head->t_line = NULL;
++ }
+ free(t_head);
+ t_head = t_next;
+ }
+@@ -146,12 +148,14 @@ textCopy(const text *t_head)
+ }
+
+ if(last == NULL) {
+- cli_errmsg("textCopy: Unable to allocate memory to clone object\n");
++ cli_errmsg("textCopy: Unable to allocate memory to clone object\n");
+ if(first)
+ textDestroy(first);
+ return NULL;
+ }
+
++ last->t_next = NULL;
++
+ if(t_head->t_line)
+ last->t_line = lineLink(t_head->t_line);
+ else
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb111711-fix-zlib-version-check-patch-by-Daniel-J.-L.patch clamav-0.99.2+dfsg/debian/patches/bb111711-fix-zlib-version-check-patch-by-Daniel-J.-L.patch
--- clamav-0.99.2+dfsg/debian/patches/bb111711-fix-zlib-version-check-patch-by-Daniel-J.-L.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb111711-fix-zlib-version-check-patch-by-Daniel-J.-L.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,26 @@
+From 015a82262c0c959a281f2e4625d6e5c3446bd48a Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevmorg@cisco.com>
+Date: Thu, 5 Jan 2017 12:30:35 -0500
+Subject: bb111711 - fix zlib version check - patch by Daniel J. Luke.
+
+Patch-Name: bb111711-fix-zlib-version-check-patch-by-Daniel-J.-L.patch
+---
+ m4/reorganization/libs/libz.m4 | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/m4/reorganization/libs/libz.m4 b/m4/reorganization/libs/libz.m4
+index b5c7414..f7b67ca 100644
+--- a/m4/reorganization/libs/libz.m4
++++ b/m4/reorganization/libs/libz.m4
+@@ -29,9 +29,9 @@ then
+ AC_MSG_ERROR([Please install zlib and zlib-devel packages])
+ else
+
+- vuln=`grep "ZLIB_VERSION \"1.2.0" $ZLIB_HOME/include/zlib.h`
++ vuln=`grep "ZLIB_VERSION \"1.2.0\"" $ZLIB_HOME/include/zlib.h`
+ if test -z "$vuln"; then
+- vuln=`grep "ZLIB_VERSION \"1.2.1" $ZLIB_HOME/include/zlib.h`
++ vuln=`grep "ZLIB_VERSION \"1.2.1\"" $ZLIB_HOME/include/zlib.h`
+ fi
+
+ if test -n "$vuln"; then
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb11797-fix-invalid-read-in-fuzzed-mail-file.patch clamav-0.99.2+dfsg/debian/patches/bb11797-fix-invalid-read-in-fuzzed-mail-file.patch
--- clamav-0.99.2+dfsg/debian/patches/bb11797-fix-invalid-read-in-fuzzed-mail-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb11797-fix-invalid-read-in-fuzzed-mail-file.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,38 @@
+From 064d16c70af6ab82b28999643c89c16e27493bd0 Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevmorg@cisco.com>
+Date: Thu, 2 Mar 2017 14:41:20 -0500
+Subject: bb11797 - fix invalid read in fuzzed mail file.
+
+Patch-Name: bb11797-fix-invalid-read-in-fuzzed-mail-file.patch
+---
+ libclamav/message.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libclamav/message.c b/libclamav/message.c
+index abb1ac2..3856bfe 100644
+--- a/libclamav/message.c
++++ b/libclamav/message.c
+@@ -439,8 +439,12 @@ messageAddArgument(message *m, const char *arg)
+ * FIXME: Bounce message handling is corrupting the in
+ * core copies of headers
+ */
+- cli_dbgmsg("Possible data corruption fixed\n");
+- p[8] = '=';
++ if (strlen(p) > 8) {
++ cli_dbgmsg("Possible data corruption fixed\n");
++ p[8] = '=';
++ } else {
++ cli_dbgmsg("Possible data corruption not fixed\n");
++ }
+ } else {
+ if(*p)
+ cli_dbgmsg("messageAddArgument, '%s' contains no '='\n", p);
+@@ -676,7 +680,7 @@ messageFindArgument(const message *m, const char *variable)
+ cli_dbgmsg("messageFindArgument: no '=' sign found in MIME header '%s' (%s)\n", variable, messageGetArgument(m, i));
+ return NULL;
+ }
+- if((*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
++ if((strlen(ptr) > 2) && (*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
+ /* Remove any quote characters */
+ char *ret = cli_strdup(++ptr);
+ char *p;
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb11798-fix-unit-tests.patch clamav-0.99.2+dfsg/debian/patches/bb11798-fix-unit-tests.patch
--- clamav-0.99.2+dfsg/debian/patches/bb11798-fix-unit-tests.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb11798-fix-unit-tests.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,45 @@
+From 4fc56fe51856c9e3eceeee962350c79410cc2d4f Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevmorg@cisco.com>
+Date: Wed, 8 Mar 2017 08:58:28 -0500
+Subject: bb11798 - fix unit tests.
+
+Patch-Name: bb11798-fix-unit-tests.patch
+---
+ libclamav/wwunpack.c | 9 +++------
+ unit_tests/check_jsnorm.c | 2 +-
+ 2 files changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c
+index 38c1808..a13550e 100644
+--- a/libclamav/wwunpack.c
++++ b/libclamav/wwunpack.c
+@@ -226,13 +226,10 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti
+ return CL_EFORMAT;
+ exe[pe+6]=(uint8_t)scount;
+ exe[pe+7]=(uint8_t)(scount>>8);
+- if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) ||
+- !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) ||
+- !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) {
++ if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4))
+ cli_dbgmsg("WWPack: unpack memory address out of bounds.\n");
+- return CL_EFORMAT;
+- }
+- cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299);
++ else
++ cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299);
+ cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz);
+
+ structs = &exe[(0xffff&cli_readint32(&exe[pe+0x14]))+pe+0x18];
+diff --git a/unit_tests/check_jsnorm.c b/unit_tests/check_jsnorm.c
+index 7515a0c..9587ea4 100644
+--- a/unit_tests/check_jsnorm.c
++++ b/unit_tests/check_jsnorm.c
+@@ -145,7 +145,7 @@ END_TEST
+
+ START_TEST (test_token_dval)
+ {
+- int val = 0.12345;
++ double val = 0.12345;
+ yystype tok;
+ memset(&tok, 0, sizeof(tok));
+
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb11940-fixing-heap-overflow-in-rfc2037.-Patch-submi.patch clamav-0.99.2+dfsg/debian/patches/bb11940-fixing-heap-overflow-in-rfc2037.-Patch-submi.patch
--- clamav-0.99.2+dfsg/debian/patches/bb11940-fixing-heap-overflow-in-rfc2037.-Patch-submi.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb11940-fixing-heap-overflow-in-rfc2037.-Patch-submi.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,24 @@
+From 0d286c958e1265f88ec6d1a147fc7296cbb647da Mon Sep 17 00:00:00 2001
+From: Mickey Sola <msola@sourcefire.com>
+Date: Fri, 27 Oct 2017 17:24:33 -0400
+Subject: bb11940 - fixing heap overflow in rfc2037. Patch submitted by Suleman
+ Ali
+
+Patch-Name: bb11940-fixing-heap-overflow-in-rfc2037.-Patch-submi.patch
+---
+ libclamav/mbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libclamav/mbox.c b/libclamav/mbox.c
+index 8e48bb7..13edb78 100644
+--- a/libclamav/mbox.c
++++ b/libclamav/mbox.c
+@@ -2842,7 +2842,7 @@ rfc2047(const char *in)
+ memcpy(pout, blobGetData(b), len);
+ blobDestroy(b);
+ messageDestroy(m);
+- if(pout[len - 1] == '\n')
++ if(len > 0 && pout[len - 1] == '\n')
+ pout += len - 1;
+ else
+ pout += len;
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb11941-fixing-UAF-in-mbox-exportBounceMessage.-Orig.patch clamav-0.99.2+dfsg/debian/patches/bb11941-fixing-UAF-in-mbox-exportBounceMessage.-Orig.patch
--- clamav-0.99.2+dfsg/debian/patches/bb11941-fixing-UAF-in-mbox-exportBounceMessage.-Orig.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb11941-fixing-UAF-in-mbox-exportBounceMessage.-Orig.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,27 @@
+From 81c634044d8a312a2f6d689c2c1f3dbc087c3957 Mon Sep 17 00:00:00 2001
+From: Mickey Sola <msola@sourcefire.com>
+Date: Mon, 30 Oct 2017 16:39:54 -0400
+Subject: bb11941 - fixing UAF in mbox exportBounceMessage. Original patch
+ submitted by Suleman Ali
+
+Patch-Name: bb11941-fixing-UAF-in-mbox-exportBounceMessage.-Orig.patch
+---
+ libclamav/mbox.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libclamav/mbox.c b/libclamav/mbox.c
+index 13edb78..3df2ae0 100644
+--- a/libclamav/mbox.c
++++ b/libclamav/mbox.c
+@@ -2053,8 +2053,9 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re
+ /*
+ * Look for uu-encoded main file
+ */
+- if((encodingLine(mainMessage) != NULL) &&
+- ((t_line = bounceBegin(mainMessage)) != NULL))
++ if(mainMessage->body_first != NULL &&
++ (encodingLine(mainMessage) != NULL) &&
++ ((t_line = bounceBegin(mainMessage)) != NULL))
+ rc = (exportBounceMessage(mctx, t_line) == CL_VIRUS) ? VIRUS : OK;
+ else {
+ bool saveIt;
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb11943-add-check-to-mew.c-for-out-of-bounds-read.-P.patch clamav-0.99.2+dfsg/debian/patches/bb11943-add-check-to-mew.c-for-out-of-bounds-read.-P.patch
--- clamav-0.99.2+dfsg/debian/patches/bb11943-add-check-to-mew.c-for-out-of-bounds-read.-P.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb11943-add-check-to-mew.c-for-out-of-bounds-read.-P.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,24 @@
+From 66335852468e845954cd7c642b1502eb087821f7 Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevmorg@cisco.com>
+Date: Fri, 27 Oct 2017 16:52:29 -0400
+Subject: bb11943 - add check to mew.c for out of bounds read. Patch supplied
+ by Suleman Ali.
+
+Patch-Name: bb11943-add-check-to-mew.c-for-out-of-bounds-read.-P.patch
+---
+ libclamav/mew.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libclamav/mew.c b/libclamav/mew.c
+index 0e0c011..14d2bc2 100644
+--- a/libclamav/mew.c
++++ b/libclamav/mew.c
+@@ -424,6 +424,8 @@ int mew_lzma(char *orgsource, const char *buf, uint32_t size_sum, uint32_t vma,
+ loc_edi = 1;
+ var14 = var10 = var24 = 1;
+
++ if(CLI_ISCONTAINED(orgsource, size_sum, var2C, 5))
++ return -1;
+ lzma_bswap_4861dc(&var40, var2C);
+ new_edx = 0;
+ } while (var28 <= loc_esi); /* source = 0 */
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb11943-buffer-check-for-mew-packed-files.patch clamav-0.99.2+dfsg/debian/patches/bb11943-buffer-check-for-mew-packed-files.patch
--- clamav-0.99.2+dfsg/debian/patches/bb11943-buffer-check-for-mew-packed-files.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb11943-buffer-check-for-mew-packed-files.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,23 @@
+From 56b2f0dd3fe100c000051f45b3d01e1744e49b57 Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevmorg@cisco.com>
+Date: Wed, 15 Nov 2017 10:46:39 -0500
+Subject: bb11943 - buffer check for mew packed files.
+
+Patch-Name: bb11943-buffer-check-for-mew-packed-files.patch
+---
+ libclamav/mew.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libclamav/mew.c b/libclamav/mew.c
+index 14d2bc2..e5fb1f4 100644
+--- a/libclamav/mew.c
++++ b/libclamav/mew.c
+@@ -424,7 +424,7 @@ int mew_lzma(char *orgsource, const char *buf, uint32_t size_sum, uint32_t vma,
+ loc_edi = 1;
+ var14 = var10 = var24 = 1;
+
+- if(CLI_ISCONTAINED(orgsource, size_sum, var2C, 5))
++ if(!CLI_ISCONTAINED(orgsource, size_sum, var2C, 5))
+ return -1;
+ lzma_bswap_4861dc(&var40, var2C);
+ new_edx = 0;
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb11944-fix-possible-message.c-OOB-read.patch clamav-0.99.2+dfsg/debian/patches/bb11944-fix-possible-message.c-OOB-read.patch
--- clamav-0.99.2+dfsg/debian/patches/bb11944-fix-possible-message.c-OOB-read.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb11944-fix-possible-message.c-OOB-read.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,32 @@
+From fdc9fa49adcf31ef8430ba704fdc724e3ea1d614 Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevmorg@cisco.com>
+Date: Wed, 1 Nov 2017 16:23:23 -0400
+Subject: bb11944 - fix possible message.c OOB read.
+
+Patch-Name: bb11944-fix-possible-message.c-OOB-read.patch
+---
+ libclamav/message.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libclamav/message.c b/libclamav/message.c
+index 8afe800..59d92f7 100644
+--- a/libclamav/message.c
++++ b/libclamav/message.c
+@@ -2323,15 +2323,16 @@ rfc2231(const char *in)
+ in++;
+ continue;
+ }
+- *p = '\0';
+ break;
+ case '=':
+ /*strcpy(p, in);*/
+ strcpy(p, "=rfc2231failure");
++ p += strlen ("=rfc2231failure");
+ break;
+ }
+ break;
+ } while(*in);
++ *p = '\0';
+
+ cli_dbgmsg("RFC2231 parameter continuations are not yet handled, returning \"%s\"\n",
+ ret);
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb11945-fixing-null-dereference-of-blob-pointer.patch clamav-0.99.2+dfsg/debian/patches/bb11945-fixing-null-dereference-of-blob-pointer.patch
--- clamav-0.99.2+dfsg/debian/patches/bb11945-fixing-null-dereference-of-blob-pointer.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb11945-fixing-null-dereference-of-blob-pointer.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,25 @@
+From a0191afb60fcfbb97e1868a09ecafbf4a30a1f07 Mon Sep 17 00:00:00 2001
+From: Mickey Sola <msola@sourcefire.com>
+Date: Fri, 27 Oct 2017 17:04:32 -0400
+Subject: bb11945 - fixing null dereference of blob pointer
+
+Patch-Name: bb11945-fixing-null-dereference-of-blob-pointer.patch
+---
+ libclamav/mbox.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libclamav/mbox.c b/libclamav/mbox.c
+index 3df2ae0..9926896 100644
+--- a/libclamav/mbox.c
++++ b/libclamav/mbox.c
+@@ -2837,6 +2837,10 @@ rfc2047(const char *in)
+ break;
+ }
+ b = messageToBlob(m, 1);
++ if (b == NULL) {
++ messageDestroy(m);
++ break;
++ }
+ len = blobGetDataSize(b);
+ cli_dbgmsg("Decoded as '%*.*s'\n", (int)len, (int)len,
+ (const char *)blobGetData(b));
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb11946-check-that-tar-checksum-is-within-bounds.-Pa.patch clamav-0.99.2+dfsg/debian/patches/bb11946-check-that-tar-checksum-is-within-bounds.-Pa.patch
--- clamav-0.99.2+dfsg/debian/patches/bb11946-check-that-tar-checksum-is-within-bounds.-Pa.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb11946-check-that-tar-checksum-is-within-bounds.-Pa.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,25 @@
+From 17ae79a680606e6c55f381144e06dcf752c82873 Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevmorg@cisco.com>
+Date: Fri, 27 Oct 2017 16:03:29 -0400
+Subject: bb11946 - check that tar checksum is within bounds. Patch supplied by
+ Suleman Ali.
+
+Patch-Name: bb11946-check-that-tar-checksum-is-within-bounds.-Pa.patch
+---
+ libclamav/untar.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libclamav/untar.c b/libclamav/untar.c
+index 3f72cec..dcdf966 100644
+--- a/libclamav/untar.c
++++ b/libclamav/untar.c
+@@ -182,6 +182,9 @@ cli_untar(const char *dir, unsigned int posix, cli_ctx *ctx)
+ if((ret=cli_checklimits("cli_untar", ctx, 0, 0, 0))!=CL_CLEAN)
+ return ret;
+
++ if (nread < TARCHECKSUMOFFSET + TARCHECKSUMLEN)
++ return ret;
++
+ checksum = getchecksum(block);
+ cli_dbgmsg("cli_untar: Candidate checksum = %d, [%o in octal]\n", checksum, checksum);
+ if(testchecksum(block, checksum) != 0) {
diff -Nru clamav-0.99.2+dfsg/debian/patches/bb19798-fix-out-of-bound-memory-access-for-crafted-w.patch clamav-0.99.2+dfsg/debian/patches/bb19798-fix-out-of-bound-memory-access-for-crafted-w.patch
--- clamav-0.99.2+dfsg/debian/patches/bb19798-fix-out-of-bound-memory-access-for-crafted-w.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/bb19798-fix-out-of-bound-memory-access-for-crafted-w.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,27 @@
+From 580557c7ac1442dead3bed61cd3e0e4559649078 Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevmorg@cisco.com>
+Date: Fri, 3 Mar 2017 13:56:28 -0500
+Subject: bb19798 - fix out of bound memory access for crafted wwunpack file.
+
+Patch-Name: bb19798-fix-out-of-bound-memory-access-for-crafted-w.patch
+---
+ libclamav/wwunpack.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c
+index 8611cb6..38c1808 100644
+--- a/libclamav/wwunpack.c
++++ b/libclamav/wwunpack.c
+@@ -226,6 +226,12 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti
+ return CL_EFORMAT;
+ exe[pe+6]=(uint8_t)scount;
+ exe[pe+7]=(uint8_t)(scount>>8);
++ if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) ||
++ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) ||
++ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) {
++ cli_dbgmsg("WWPack: unpack memory address out of bounds.\n");
++ return CL_EFORMAT;
++ }
+ cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299);
+ cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz);
+
diff -Nru clamav-0.99.2+dfsg/debian/patches/Better-fix-for-bug-11946.patch clamav-0.99.2+dfsg/debian/patches/Better-fix-for-bug-11946.patch
--- clamav-0.99.2+dfsg/debian/patches/Better-fix-for-bug-11946.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/Better-fix-for-bug-11946.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,46 @@
+From e3a3a7b8678b71e1eb1a511864f75fe62c7e6ae7 Mon Sep 17 00:00:00 2001
+From: Craig Davison <crdaviso@cisco.com>
+Date: Wed, 1 Nov 2017 13:34:20 -0600
+Subject: Better fix for bug 11946
+
+Signed-off-by: Steven Morgan <stevmorg@cisco.com>
+Patch-Name: Better-fix-for-bug-11946.patch
+---
+ libclamav/untar.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/libclamav/untar.c b/libclamav/untar.c
+index dcdf966..c645305 100644
+--- a/libclamav/untar.c
++++ b/libclamav/untar.c
+@@ -43,7 +43,9 @@
+ #include "scanners.h"
+ #include "matcher.h"
+
+-#define BLOCKSIZE 512
++#define TARHEADERSIZE 512
++/* BLOCKSIZE must be >= TARHEADERSIZE */
++#define BLOCKSIZE TARHEADERSIZE
+ #define TARSIZEOFFSET 124
+ #define TARSIZELEN 12
+ #define TARCHECKSUMOFFSET 148
+@@ -182,8 +184,9 @@ cli_untar(const char *dir, unsigned int posix, cli_ctx *ctx)
+ if((ret=cli_checklimits("cli_untar", ctx, 0, 0, 0))!=CL_CLEAN)
+ return ret;
+
+- if (nread < TARCHECKSUMOFFSET + TARCHECKSUMLEN)
+- return ret;
++ if (nread < TARHEADERSIZE) {
++ return CL_CLEAN;
++ }
+
+ checksum = getchecksum(block);
+ cli_dbgmsg("cli_untar: Candidate checksum = %d, [%o in octal]\n", checksum, checksum);
+@@ -200,7 +203,6 @@ cli_untar(const char *dir, unsigned int posix, cli_ctx *ctx)
+ cli_dbgmsg("cli_untar: Checksum %d is valid.\n", checksum);
+ }
+
+- /* Notice assumption that BLOCKSIZE > 262 */
+ if(posix) {
+ strncpy(magic, block+257, 5);
+ magic[5] = '\0';
diff -Nru clamav-0.99.2+dfsg/debian/patches/Fix_detection_of_libcurl.patch clamav-0.99.2+dfsg/debian/patches/Fix_detection_of_libcurl.patch
--- clamav-0.99.2+dfsg/debian/patches/Fix_detection_of_libcurl.patch 2017-01-30 21:41:46.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/Fix_detection_of_libcurl.patch 2018-01-27 00:30:30.000000000 +0100
@@ -8,7 +8,6 @@
-dev package as the headers.
Bug-Debian: https://bugs.debian.org/852894
-Bug-Upstream: https://bugzilla.clamav.net/show_bug.cgi?id=11739
Patch-Name: Fix_detection_of_libcurl.patch
---
m4/reorganization/libs/curl.m4 | 2 +-
diff -Nru clamav-0.99.2+dfsg/debian/patches/series clamav-0.99.2+dfsg/debian/patches/series
--- clamav-0.99.2+dfsg/debian/patches/series 2017-01-30 21:27:33.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/series 2018-01-27 00:30:30.000000000 +0100
@@ -12,3 +12,18 @@
Add-support-for-LLVM-3.9.patch
bb11549-fix-temp-file-cleanup-issue.patch
Fix_detection_of_libcurl.patch
+bb11797-fix-invalid-read-in-fuzzed-mail-file.patch
+bb19798-fix-out-of-bound-memory-access-for-crafted-w.patch
+b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch
+bb11940-fixing-heap-overflow-in-rfc2037.-Patch-submi.patch
+bb11941-fixing-UAF-in-mbox-exportBounceMessage.-Orig.patch
+bb11943-add-check-to-mew.c-for-out-of-bounds-read.-P.patch
+bb11943-buffer-check-for-mew-packed-files.patch
+bb11944-fix-possible-message.c-OOB-read.patch
+bb11945-fixing-null-dereference-of-blob-pointer.patch
+bb11946-check-that-tar-checksum-is-within-bounds.-Pa.patch
+Better-fix-for-bug-11946.patch
+bb111711-fix-zlib-version-check-patch-by-Daniel-J.-L.patch
+bb11798-fix-unit-tests.patch
+Updating-version-numbers-and-adding-information-abou.patch
+setting-version-for-security-release-to-0.99.3.patch
diff -Nru clamav-0.99.2+dfsg/debian/patches/setting-version-for-security-release-to-0.99.3.patch clamav-0.99.2+dfsg/debian/patches/setting-version-for-security-release-to-0.99.3.patch
--- clamav-0.99.2+dfsg/debian/patches/setting-version-for-security-release-to-0.99.3.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/setting-version-for-security-release-to-0.99.3.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,111 @@
+From 6d775ed287a80b1a7e26cff79a2519982267c66f Mon Sep 17 00:00:00 2001
+From: Micah Snyder <micasnyd@cisco.com>
+Date: Mon, 22 Jan 2018 20:25:02 -0500
+Subject: setting version for security release to 0.99.3
+
+Patch-Name: setting-version-for-security-release-to-0.99.3.patch
+---
+ ChangeLog | 4 ++--
+ README | 4 ++--
+ configure.ac | 2 +-
+ docs/clamdoc.tex | 3 ++-
+ libclamav/others.h | 4 ++--
+ m4/reorganization/version.m4 | 2 +-
+ 6 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 6fa1619..1a70aae 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,6 +1,6 @@
+-Mon, 18 Jan 2018 12:45:00 -0500 (Steven Morgan)
++Mon, 22 Jan 2018 19:33:00 -0500 (Micah Snyder)
+ ------------------------------------------
+- * ClamAV 0.99.2.1 security patch release.
++ * ClamAV 0.99.3 security patch release.
+
+ Thu, 22 Apr 2016 12:45:00 -0500 (Steven Morgan)
+ ------------------------------------------
+diff --git a/README b/README
+index 059ea90..3fc3284 100644
+--- a/README
++++ b/README
+@@ -2,10 +2,10 @@ Note: This README/NEWS file refers to the source tarball. Some things described
+ here may not be available in binary packages.
+ --
+
+-0.99.2.1
++0.99.3
+ ------
+
+-ClamAV 0.99.2.1 is a hotfix release to patch a set of vulnerabilities.
++ClamAV 0.99.3 is a hotfix release to patch a set of vulnerabilities.
+
+ - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
+ CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
+diff --git a/configure.ac b/configure.ac
+index 7eb8c05..7f338f8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -20,7 +20,7 @@ dnl MA 02110-1301, USA.
+ AC_PREREQ([2.59])
+ dnl For a release change [devel] to the real version [0.xy]
+ dnl also change VERSION below
+-AC_INIT([ClamAV], [0.99.2.1], [http://bugs.clamav.net/], [clamav], [http://www.clamav.net/])
++AC_INIT([ClamAV], [0.99.3], [http://bugs.clamav.net/], [clamav], [http://www.clamav.net/])
+
+ AH_BOTTOM([#include "platform.h"])
+ dnl put configure auxiliary into config
+diff --git a/docs/clamdoc.tex b/docs/clamdoc.tex
+index cb996af..82b4b88 100644
+--- a/docs/clamdoc.tex
++++ b/docs/clamdoc.tex
+@@ -72,7 +72,7 @@
+ \vspace{3cm}
+ \begin{flushright}
+ \rule[-1ex]{8cm}{3pt}\\
+- \huge Clam AntiVirus 0.99.2.1\\
++ \huge Clam AntiVirus 0.99.3\\
+ \huge \emph{User Manual}\\
+ \end{flushright}
+
+@@ -85,6 +85,7 @@
+ \begin{boxedminipage}[b]{\textwidth}
+ ClamAV User Manual,
+ 87d
++88d
+ \copyright \ 2016 Cisco Systems, Inc.
+ Authors: Tomasz Kojm\\
+ This document is distributed under the terms of the GNU General
+diff --git a/libclamav/others.h b/libclamav/others.h
+index e91e293..df2923b 100644
+--- a/libclamav/others.h
++++ b/libclamav/others.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2015 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
++ * Copyright (C) 2015, 2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ * Copyright (C) 2007-2013 Sourcefire, Inc.
+ *
+ * Authors: Tomasz Kojm
+@@ -72,7 +72,7 @@
+ * in re-enabling affected modules.
+ */
+
+-#define CL_FLEVEL 82
++#define CL_FLEVEL 84
+ #define CL_FLEVEL_DCONF CL_FLEVEL
+ #define CL_FLEVEL_SIGTOOL CL_FLEVEL
+
+diff --git a/m4/reorganization/version.m4 b/m4/reorganization/version.m4
+index e3c3dfc..6e8d538 100644
+--- a/m4/reorganization/version.m4
++++ b/m4/reorganization/version.m4
+@@ -1,6 +1,6 @@
+ dnl change this on a release
+ dnl VERSION="devel-`date +%Y%m%d`"
+-VERSION="0.99.2.1"
++VERSION="0.99.3"
+
+ LC_CURRENT=8
+ LC_REVISION=1
diff -Nru clamav-0.99.2+dfsg/debian/patches/Updating-version-numbers-and-adding-information-abou.patch clamav-0.99.2+dfsg/debian/patches/Updating-version-numbers-and-adding-information-abou.patch
--- clamav-0.99.2+dfsg/debian/patches/Updating-version-numbers-and-adding-information-abou.patch 1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/patches/Updating-version-numbers-and-adding-information-abou.patch 2018-01-27 00:30:30.000000000 +0100
@@ -0,0 +1,133 @@
+From 56424bbb9cc0d331c94da6579f3354ce4fd25b61 Mon Sep 17 00:00:00 2001
+From: Micah Snyder <micasnyd@cisco.com>
+Date: Thu, 18 Jan 2018 11:27:39 -0500
+Subject: Updating version numbers and adding information about the security
+ patch release to the readme.
+
+Patch-Name: Updating-version-numbers-and-adding-information-abou.patch
+---
+ ChangeLog | 4 ++++
+ README | 25 ++++++++++++++++++++++++-
+ configure.ac | 2 +-
+ docs/clamdoc.tex | 7 ++++---
+ m4/reorganization/version.m4 | 2 +-
+ 5 files changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 337d953..6fa1619 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,7 @@
++Mon, 18 Jan 2018 12:45:00 -0500 (Steven Morgan)
++------------------------------------------
++ * ClamAV 0.99.2.1 security patch release.
++
+ Thu, 22 Apr 2016 12:45:00 -0500 (Steven Morgan)
+ ------------------------------------------
+ * ClamAV 0.99.2 release.
+diff --git a/README b/README
+index 0059252..059ea90 100644
+--- a/README
++++ b/README
+@@ -2,6 +2,29 @@ Note: This README/NEWS file refers to the source tarball. Some things described
+ here may not be available in binary packages.
+ --
+
++0.99.2.1
++------
++
++ClamAV 0.99.2.1 is a hotfix release to patch a set of vulnerabilities.
++
++ - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
++ CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
++ CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
++ - also included are 2 minor fixes to properly detect openssl install
++ locations on FreeBSD 11, and prevent false warnings about zlib 1.2.1#
++ version numbers.
++
++Thank you to the following ClamAV community members for your code
++submissions and bug reports!
++
++Alberto Garcia
++Daniel J. Luke
++Francisco Oca
++Sebastian A. Siewior
++Suleman Ali
++
++Special thanks to Offensive Research at Salesforce.com for responsible disclosure.
++
+ 0.99.2
+ ------
+
+@@ -2052,7 +2075,7 @@ document and contact our administrator - Luca Gibelli <nervous*clamav.net>.
+ -) documentation:
+ + new Spanish documentation on ClamAV and Sendmail integration by
+ Erick Ivaan Lopez Carreon
+- + included clamdoc.pdf Turkish translation by yavuz kaya and �rahim erken
++ + included clamdoc.pdf Turkish translation by yavuz kaya and �brahim erken
+ + included clamav-mirror-howto.pdf by Luca Gibelli
+ + included clamd+daemontools HOWTO by Jesse D. Guardiani
+ + included signatures.pdf
+diff --git a/configure.ac b/configure.ac
+index 289a0b9..7eb8c05 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -20,7 +20,7 @@ dnl MA 02110-1301, USA.
+ AC_PREREQ([2.59])
+ dnl For a release change [devel] to the real version [0.xy]
+ dnl also change VERSION below
+-AC_INIT([ClamAV], [0.99.2], [http://bugs.clamav.net/], [clamav], [http://www.clamav.net/])
++AC_INIT([ClamAV], [0.99.2.1], [http://bugs.clamav.net/], [clamav], [http://www.clamav.net/])
+
+ AH_BOTTOM([#include "platform.h"])
+ dnl put configure auxiliary into config
+diff --git a/docs/clamdoc.tex b/docs/clamdoc.tex
+index 206a1b2..cb996af 100644
+--- a/docs/clamdoc.tex
++++ b/docs/clamdoc.tex
+@@ -1,6 +1,6 @@
+ % Clam AntiVirus: User Manual
+ %
+-% Copyright (C) 2016 Cisco Systems, Inc.
++% Copyright (C) 2016-2018 Cisco Systems, Inc.
+ % Copyright (C) 2008-2013 Sourcefire, Inc.
+ % Copyright (C) 2002 - 2007 Tomasz Kojm <tkojm*clamav.net>
+ % Version 0.2x corrected by Dennis Leeuw <dleeuw*made-it.com>
+@@ -72,7 +72,7 @@
+ \vspace{3cm}
+ \begin{flushright}
+ \rule[-1ex]{8cm}{3pt}\\
+- \huge Clam AntiVirus 0.99.2\\
++ \huge Clam AntiVirus 0.99.2.1\\
+ \huge \emph{User Manual}\\
+ \end{flushright}
+
+@@ -84,6 +84,7 @@
+ \noindent
+ \begin{boxedminipage}[b]{\textwidth}
+ ClamAV User Manual,
++87d
+ \copyright \ 2016 Cisco Systems, Inc.
+ Authors: Tomasz Kojm\\
+ This document is distributed under the terms of the GNU General
+@@ -1740,7 +1741,7 @@ Verification OK.
+ \item Stefano Rizzetto
+ \item Roaring Penguin Software Inc. (\url{http://www.roaringpenguin.com/})
+ \item Luke Rosenthal
+- \item Jenny S�tr�\url{http://PokerListings.com})
++ \item Jenny S�fstr�m (\url{http://PokerListings.com})
+ \item School of Engineering, University of Pennsylvania (\url{http://www.seas.upenn.edu/})
+ \item Tim Scoff
+ \item Seattle Server (\url{http://www.seattleserver.com/})
+diff --git a/m4/reorganization/version.m4 b/m4/reorganization/version.m4
+index 4935b45..e3c3dfc 100644
+--- a/m4/reorganization/version.m4
++++ b/m4/reorganization/version.m4
+@@ -1,6 +1,6 @@
+ dnl change this on a release
+ dnl VERSION="devel-`date +%Y%m%d`"
+-VERSION="0.99.2"
++VERSION="0.99.2.1"
+
+ LC_CURRENT=8
+ LC_REVISION=1
diff -Nru clamav-0.99.2+dfsg/debian/rules clamav-0.99.2+dfsg/debian/rules
--- clamav-0.99.2+dfsg/debian/rules 2017-01-30 21:27:31.000000000 +0100
+++ clamav-0.99.2+dfsg/debian/rules 2018-01-27 00:33:28.000000000 +0100
@@ -96,7 +96,7 @@
fi;\
done; \
# Check if for library features whih may get upgrade.
- if ! grep -q "CL_FLEVEL 82" libclamav/others.h ; then \
+ if ! grep -q "CL_FLEVEL 84" libclamav/others.h ; then \
echo "cl_retflevel needs boosting in symbol file"; \
touch debian/exit; \
fi;
Reply to: