Hi all, The latest version of ClamAV (0.95.1) fixes several security issues, one of which also affects the versions in etch, lenny, and etch-volatile. All the others only affect the version currently in unstable, but we're working on updating this one anyway. The remaining issue is briefly described at https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1552, seems to be a possibility for a DoS. I don't think there is a CVE(-request) yet. The patches for oldstable-security, stable-security, and etch-volatile are attached. Please let us know whether we should upload or wait for a CVE-Id instead. Thanks, Michael
commit d14eaf7be8e8e1087ea5dddac2db2e6dddd07dea Author: Michael Tautschnig <mt@debian.org> Date: Sun Apr 12 08:09:44 2009 +0200 Backported fix for #1552 Signed-off-by: Michael Tautschnig <mt@debian.org> diff --git a/debian/changelog b/debian/changelog index 196b5d9..dc1f27a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +clamav (0.90.1dfsg-4etch19) oldstable-security; urgency=low + + * Backported hardening of CLI_ISCONTAINED macros (fixes UPack crash with + malformed file, #1552) + + -- Stephen Gran <sgran@debian.org> Sun, 12 Apr 2009 08:09:20 +0200 + clamav (0.90.1dfsg-4etch18) oldstable-security; urgency=low * [CVE-2008-6680] Fixed division by zero with --detect-broken. diff --git a/debian/patches/00list b/debian/patches/00list index 807c9db..349b038 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -27,3 +27,4 @@ 49.special.c.dpatch 50.pe.c.CVE-2008-6680.dpatch 51.untar.c.CVE-2009-1270.dpatch +52.others.h.CVE-XXXX-XXXX.dpatch diff --git a/debian/patches/52.others.h.CVE-XXXX-XXXX.dpatch b/debian/patches/52.others.h.CVE-XXXX-XXXX.dpatch new file mode 100644 index 0000000..18eb56b --- /dev/null +++ b/debian/patches/52.others.h.CVE-XXXX-XXXX.dpatch @@ -0,0 +1,28 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 52.others.h.CVE-XXXX-XXXX.dpatch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: UPack crash with malformed file + +@DPATCH@ +diff --git a/libclamav/others.h b/libclamav/others.h +index a01a414..7e636a7 100644 +--- a/libclamav/others.h ++++ b/libclamav/others.h +@@ -41,12 +41,12 @@ extern uint8_t cli_debug_flag; + * The macro can be used to protect against wraps. + */ + #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ +- (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ +- && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) ++ ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ ++ && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) + + #define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size) \ +- (bb_size > 0 && sb_size >= 0 && sb_size <= bb_size \ +- && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb) ++ ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ ++ && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size))) + + #define CLI_MAX_ALLOCATION 184549376 +
commit 928357f2f9b38addeec13c175311bc65de8e1421 Author: Michael Tautschnig <mt@debian.org> Date: Sun Apr 12 08:00:28 2009 +0200 Backported fix for #1552 Signed-off-by: Michael Tautschnig <mt@debian.org> diff --git a/configure b/configure index 5c32986..429e97e 100755 --- a/configure +++ b/configure @@ -12427,8 +12427,8 @@ static struct v{ extern void abort(void); #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) + ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) int crashtest() { diff --git a/configure.in b/configure.in index 4a27763..5af6f30 100644 --- a/configure.in +++ b/configure.in @@ -185,8 +185,8 @@ static struct v{ extern void abort(void); #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) + ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) int crashtest() { diff --git a/debian/changelog b/debian/changelog index 50974c0..dc69b03 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +clamav (0.94.dfsg.2-1~volatile3) etch-volatile; urgency=low + + * Backported hardening of CLI_ISCONTAINED macros (fixes UPack crash with + malformed file, #1552) + + -- Michael Tautschnig <mt@debian.org> Sun, 12 Apr 2009 07:59:09 +0200 + clamav (0.94.dfsg.2-1~volatile2) etch-volatile; urgency=low [ Scott Kittermann ] diff --git a/libclamav/others.h b/libclamav/others.h index c862e22..29305de 100644 --- a/libclamav/others.h +++ b/libclamav/others.h @@ -56,12 +56,12 @@ extern uint8_t cli_debug_flag, cli_leavetemps_flag; * The macro can be used to protect against wraps. */ #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) + ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) #define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size >= 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb) + ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size))) #define CLI_MAX_ALLOCATION 184549376
commit 35e8736d73465a659025933726b330ffd62b273d Author: Michael Tautschnig <mt@debian.org> Date: Sun Apr 12 08:00:28 2009 +0200 Backported fix for #1552 Signed-off-by: Michael Tautschnig <mt@debian.org> diff --git a/configure b/configure index 5c32986..429e97e 100755 --- a/configure +++ b/configure @@ -12427,8 +12427,8 @@ static struct v{ extern void abort(void); #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) + ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) int crashtest() { diff --git a/configure.in b/configure.in index 4a27763..5af6f30 100644 --- a/configure.in +++ b/configure.in @@ -185,8 +185,8 @@ static struct v{ extern void abort(void); #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) + ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) int crashtest() { diff --git a/debian/changelog b/debian/changelog index 6a59e74..b647554 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +clamav (0.94.dfsg.2-1lenny2) unstable; urgency=low + + * Backported hardening of CLI_ISCONTAINED macros (fixes UPack crash with + malformed file, #1552) + + -- Michael Tautschnig <mt@debian.org> Sun, 12 Apr 2009 07:59:09 +0200 + clamav (0.94.dfsg.2-1lenny1) unstable; urgency=low [ Scott Kittermann ] diff --git a/libclamav/others.h b/libclamav/others.h index c862e22..29305de 100644 --- a/libclamav/others.h +++ b/libclamav/others.h @@ -56,12 +56,12 @@ extern uint8_t cli_debug_flag, cli_leavetemps_flag; * The macro can be used to protect against wraps. */ #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) + ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) #define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size >= 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb) + ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size))) #define CLI_MAX_ALLOCATION 184549376
Attachment:
pgpoZqAsA8X2w.pgp
Description: PGP signature