oss-sec mailing list archives
CVE-2015-1463: clamav: special crafted petite can lead to a crash
From: Sebastian Andrzej Siewior <cve-announce () ml breakpoint cc>
Date: Tue, 17 Feb 2015 21:52:37 +0100
I haven't requested this CVE but it looks to what I / AFL have discovered. petite [0] is too for compressing .exe (.dll and such) files under windows. clamav [1] is a virus scanning tool which is able to unpack such files during scanning. A handcrafted file could lead the de-compressor to access beyond bounds leading to crash because the compiler might have removed the boundary check. The boundary remains there up to the gcc 4.7 series. Starting with gcc 4.8 the compiler removes the check because it assumes that a signed overflow can not become negative. According to the gcc folks this assumption is within the C specification. As a fix [2] one of the variables becomes unsigned and is part of the current (0.96.6) release. This bug has been discovered by AFL [3], american fuzzy lop. [0] http://www.un4seen.com/petite/ [1] http://www.clamav.net/ [2] https://github.com/vrtadmin/clamav-devel/commit/96ff19a19eba64bdf47f2f12ecdbc5ee331c09e2 [3] http://lcamtuf.coredump.cx/afl/ Sebastian
Current thread:
- CVE-2015-1463: clamav: special crafted petite can lead to a crash Sebastian Andrzej Siewior (Feb 17)