oss-sec mailing list archives
CVE request - clamav - crashes on crafted upack packed file
From: Sebastian Andrzej Siewior <cve-announce () ml breakpoint cc>
Date: Sun, 3 May 2015 18:24:34 +0200
WinUPack / UPack [0] is a tool for compressing PE files. Clamav [1] is a virus scanning tool which is able to unpack such files during scanning. There are two issues: - There is a wrongly implemented range check. The size (of the memory) has been fed as (j * 4) into the macro. With this written as-is the compiler treats it as a "32 bit" operation and feeds the result into the macro. That means the "64 bit" cast (to catch 32bit overflows) can not be performed anymore. The result is a segfault. This has been fixed [2]. - A missing range check while invoking cli_rebuildpe(). A crafted file may lead to reading more data from the file than memory has been allocated leading to a crash. This has been fixed [3]. The two fixes are part of the 0.98.7 release. Both bugs have been discovered by AFL [4], american fuzzy lop. [0] http://www.woodmann.com/collaborative/tools/index.php/WinUPack_3.99_and_UPack_3.999 [1] http://www.clamav.net/ [2] https://github.com/vrtadmin/clamav-devel/commit/a18af359decd270f5088e80e2ee2866c62e0843e [3] https://github.com/vrtadmin/clamav-devel/commit/ed56f56c1f1529bda877ddd116ae7bc064667c73 [4] http://lcamtuf.coredump.cx/afl/ Sebastian
Current thread:
- CVE request - clamav - crashes on crafted upack packed file Sebastian Andrzej Siewior (May 03)