oss-sec mailing list archives
Re: Multiple potential security issues fixed in ClamAV 0.97.8 - any further details?
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 24 Apr 2013 18:58:43 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/24/2013 07:49 AM, Henri Salo wrote:
On Wed, Apr 24, 2013 at 07:59:04AM -0400, Jan Lieskovsky wrote:Hello Felix, this is due the ClamAV 0.97.8 release: [1] http://blog.clamav.net/2013/04/clamav-0978-has-been-released.html
[2] https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog
[3] https://bugzilla.redhat.com/show_bug.cgi?id=956176 [4] https://bugzilla.novell.com/show_bug.cgi?id=816865 Could you clarify how many and what kind of possible security issues has been corrected within this release? (so we would know how many CVE identifiers should be allocated to these) Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response TeamInformation from Joel Esler. No CVEs assigned yet.
Well since no-one seems to be willing to answer/help on this =(
commit 270e368b99e93aa5447d46c797c92c3f9f39f375
libclamav/pe.c - - if(upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0) - - upx_success = 1; - - - - } else { + } + else if(skew > ssize) { + /* Ignore suggested skew larger than section size */ + cli_dbgmsg("UPX: Ignoring bad skew of %d bytes\n", skew); + skew = 0; + } + else { cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew); - - if(upxfn(src + skew, ssize - skew, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 || upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, v - - upx_success = 1; + } + + if(upxfn(src + skew, ssize - skew, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 || upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) + upx_success = 1; + } + else if(skew && (upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)) { + upx_success = 1; Seems like a pretty classic buffer overflow.
commit 24ff855c82d3f5c62bc5788a5776cefbffce2971
libclamav/pdf.c @@ -1262,7 +1269,7 @@ static void check_user_password(struct pdf_struct *pdf, int R, const char *O, - - } else { + } else if ((R >= 2) && (R <= 4)) { + if (length > 128) + length = 128; if (R >= 3) { - - if (length > 128) - - length = 128; + else { + /* Supported R is in {2,3,4,5} */ + cli_dbgmsg("cli_pdf: R value out of range\n"); + return; + } + if ((R > 5) || (R < 2)) { + cli_dbgmsg("cli_pdf: R value outside supported range [2..5]\n"); + break; + } Seems like a pretty classic logic error.
commit c6870a6c857dd722dffaf6d37ae52ec259d12492
libclamav/sis.c @@ -193,7 +193,7 @@ static char *getsistring(FILE *f, uint32_t ptr, uint32_t len) { - - name = cli_malloc(len); + name = cli_malloc(len+1); Seems like a classic off by one.
commit 3cbd8b5668bd0f262a8c00b1fd57eb03c117b00a
libclamav/pe_icons.c libclamav/pe_icons.c: introduce LOGPARSEICONDETAILS define to reduce parseicon logging in default build how is this security related?
--- Henri Salo
Are there maybe some more commits covering these (the last one has me stumped). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJReH/DAAoJEBYNRVNeJnmT5kgQALUa7Oe+T0PYxIWcM+ICRaZ8 7d196rwux93+YBd/wwxdjkW3Ad6mMl4cGg6Rfr1QX2MQhKMDySmNA0ETYr8kpC/t xk+yTRaRo5iQjVUtHekbeviYRSw+jpKj1oXvlvWJWmEESyb44WH4JSG29svF0iuo 41J/2efMah67L2F3tnmzKGqymFlry6XOGriPwZVb7Sr/mfXlQOTbvmPZudXS7Dfj s2R5SK1rZmpbseKdLVsBZH3ZfIXnxKvXZuLAM4caZqs7dAeortjdXD8npSjH4nQC aAqaPfiOp1KxYz4jX31WW3BqTukfOXw1KCa4h5ITm5YuRKwIIf524Lr+R8KskqVY cA7igoqieGfx/gaugc7cH90MdQ196ADc+IZIR1+h9g2XgSVgHEwnCBfFmzRpemJA EHylIZGDkxghBgLwkGpga7IqQKcvECuzeVAwtyrgAxxkNYaoIjezIolTcOlDt3+m Jk45snLVdqyeof1OU/O0lhIblEE/NmeYHez8tIUgn+XN79vJL7mEK4u37bWVLLSu wcPKss2yhNuI/Wqr3yCkSxeFG7kdCxWiBWCuQtNFCsec/YGPqLm+Rxni/MjhRHSW 25o6aqShJCEcp+jwiY5JrT15+FA1j8DRNSRR47uehlhu5wFtYdxAQxPcSAkvHvuN s0e1io+rmH3BHyxbTq61 =Vjcd -----END PGP SIGNATURE-----
Current thread:
- Multiple potential security issues fixed in ClamAV 0.97.8 - any further details? Jan Lieskovsky (Apr 24)
- Re: Multiple potential security issues fixed in ClamAV 0.97.8 - any further details? Henri Salo (Apr 24)
- Re: Multiple potential security issues fixed in ClamAV 0.97.8 - any further details? Kurt Seifried (Apr 24)
- Re: Multiple potential security issues fixed in ClamAV 0.97.8 - any further details? Felix Gröbert (Apr 27)
- Re: Multiple potential security issues fixed in ClamAV 0.97.8 - any further details? Kurt Seifried (Apr 29)
- Re: Multiple potential security issues fixed in ClamAV 0.97.8 - any further details? Salvatore Bonaccorso (Apr 29)
- Re: Multiple potential security issues fixed in ClamAV 0.97.8 - any further details? Kurt Seifried (Apr 29)
- Re: Multiple potential security issues fixed in ClamAV 0.97.8 - any further details? Kurt Seifried (Apr 24)
- Re: Multiple potential security issues fixed in ClamAV 0.97.8 - any further details? Henri Salo (Apr 24)