diff -Nru /tmp/3Q1VRI4oKd/clamav-0.90.2/debian/changelog /tmp/RJMDLSGoDM/clamav-0.90.2/debian/changelog --- /tmp/3Q1VRI4oKd/clamav-0.90.2/debian/changelog 2007-05-31 13:06:13.000000000 -0600 +++ /tmp/RJMDLSGoDM/clamav-0.90.2/debian/changelog 2007-05-31 13:06:20.000000000 -0600 @@ -1,3 +1,13 @@ +clamav (0.90.2-0ubuntu2) feisty-securiry; urgency=low + + * SECURITY UPDATE: Remote attack in PDF handler and OLE2 Parser + - libclamav/pdf.c, libclamav/ole2_extract.c + * References + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2650 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2029 + + -- Leonel Nunez Thu, 31 May 2007 12:30:19 -0600 + clamav (0.90.2-0ubuntu1) feisty; urgency=low * New upstream release not in Debian yet. diff -Nru /tmp/3Q1VRI4oKd/clamav-0.90.2/debian/patches/pdf-ole-bugfix.patch.dpatch /tmp/RJMDLSGoDM/clamav-0.90.2/debian/patches/pdf-ole-bugfix.patch.dpatch --- /tmp/3Q1VRI4oKd/clamav-0.90.2/debian/patches/pdf-ole-bugfix.patch.dpatch 1969-12-31 18:00:00.000000000 -0600 +++ /tmp/RJMDLSGoDM/clamav-0.90.2/debian/patches/pdf-ole-bugfix.patch.dpatch 2007-05-31 13:06:20.000000000 -0600 @@ -0,0 +1,221 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## pdf-ole-bugfix.patch.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad clamav-0.90.2~/libclamav/ole2_extract.c clamav-0.90.2/libclamav/ole2_extract.c +--- clamav-0.90.2~/libclamav/ole2_extract.c 2007-02-23 14:31:20.000000000 -0700 ++++ clamav-0.90.2/libclamav/ole2_extract.c 2007-05-31 12:28:17.000000000 -0600 +@@ -1,7 +1,7 @@ + /* + * Extract component parts of OLE2 files (e.g. MS Office Documents) + * +- * Copyright (C) 2004 trog@uncon.org ++ * Copyright (C) 2004-2007 trog@uncon.org + * + * This code is based on the OpenOffice and libgsf sources. + * +@@ -585,6 +585,7 @@ + unsigned char *buff; + int32_t current_block, ofd, len, offset; + char *name, *newname; ++ bitset_t *blk_bitset; + + if (prop->type != 2) { + /* Not a file */ +@@ -636,13 +637,32 @@ + return FALSE; + } + ++ blk_bitset = cli_bitset_init(); ++ if (!blk_bitset) { ++ cli_errmsg("ERROR [handler_writefile]: init bitset failed\n"); ++ close(ofd); ++ return FALSE; ++ } + while((current_block >= 0) && (len > 0)) { ++ /* Check we aren't in a loop */ ++ if (cli_bitset_test(blk_bitset, (unsigned long) current_block)) { ++ /* Loop in block list */ ++ cli_dbgmsg("OLE2: Block list loop detected\n"); ++ close(ofd); ++ free(buff); ++ cli_bitset_free(blk_bitset); ++ return FALSE; ++ } ++ if (!cli_bitset_set(blk_bitset, (unsigned long) current_block)) { ++ return FALSE; ++ } + if (prop->size < (int64_t)hdr->sbat_cutoff) { + /* Small block file */ + if (!ole2_get_sbat_data_block(fd, hdr, buff, current_block)) { + cli_dbgmsg("ole2_get_sbat_data_block failed\n"); + close(ofd); + free(buff); ++ cli_bitset_free(blk_bitset); + return FALSE; + } + /* buff now contains the block with 8 small blocks in it */ +@@ -650,6 +670,7 @@ + if (cli_writen(ofd, &buff[offset], MIN(len,64)) != MIN(len,64)) { + close(ofd); + free(buff); ++ cli_bitset_free(blk_bitset); + return FALSE; + } + +@@ -660,12 +681,14 @@ + if (!ole2_read_block(fd, hdr, buff, current_block)) { + close(ofd); + free(buff); ++ cli_bitset_free(blk_bitset); + return FALSE; + } + if (cli_writen(ofd, buff, MIN(len,(1 << hdr->log2_big_block_size))) != + MIN(len,(1 << hdr->log2_big_block_size))) { + close(ofd); + free(buff); ++ cli_bitset_free(blk_bitset); + return FALSE; + } + +@@ -675,6 +698,7 @@ + } + close(ofd); + free(buff); ++ cli_bitset_free(blk_bitset); + return TRUE; + } + +diff -urNad clamav-0.90.2~/libclamav/pdf.c clamav-0.90.2/libclamav/pdf.c +--- clamav-0.90.2~/libclamav/pdf.c 2007-04-12 08:51:42.000000000 -0600 ++++ clamav-0.90.2/libclamav/pdf.c 2007-05-31 12:23:29.000000000 -0600 +@@ -78,7 +78,7 @@ + const char *xrefstart; /* cross reference table */ + /*size_t xreflength;*/ + int rc = CL_CLEAN; +- struct table *md5table; ++ table_t *md5table; + int printed_predictor_message; + int printed_embedded_font_message; + struct stat statb; +@@ -88,7 +88,7 @@ + if(fstat(desc, &statb) < 0) + return CL_EOPEN; + +- size = (size_t)statb.st_size; ++ size = statb.st_size; + + if(size == 0) + return CL_CLEAN; +@@ -216,7 +216,7 @@ + /*int object_number, generation_number;*/ + const char *objstart, *objend, *streamstart, *streamend; + char *md5digest; +- size_t length, objlen, real_streamlen, calculated_streamlen; ++ unsigned long length, objlen, real_streamlen, calculated_streamlen; + int is_embedded_font, predictor; + char fullname[NAME_MAX + 1]; + +@@ -262,7 +262,7 @@ + } + bytesleft -= (objend - p) + 6; + p = &objend[6]; +- objlen = (size_t)(objend - objstart); ++ objlen = (unsigned long)(objend - objstart); + + /* Is this object a stream? */ + streamstart = cli_pmemstr(objstart, objlen, "stream", 6); +@@ -291,16 +291,22 @@ + */ + if((bytesleft > 11) && strncmp(q, " 0 R", 4) == 0) { + const char *r; +- char b[13]; ++ char b[14]; + + q += 4; +- cli_dbgmsg("Length is in indirect obj %d\n", ++ cli_dbgmsg("Length is in indirect obj %ld\n", + length); + snprintf(b, sizeof(b), +- "%d 0 obj", length); +- length = strlen(b); ++ "\n%ld 0 obj", length); ++ length = (unsigned long)strlen(b); + r = cli_pmemstr(alloced ? alloced : buf, + size, b, length); ++ if(r == NULL) { ++ b[0] = '\r'; ++ r = cli_pmemstr(alloced ? alloced : buf, ++ size, b, length); ++ } ++ + if(r) { + r += length - 1; + r = pdf_nextobject(r, bytesleft - (r - q)); +@@ -308,12 +314,14 @@ + length = atoi(r); + while(isdigit(*r)) + r++; +- cli_dbgmsg("length in '%s' %d\n", +- b, length); ++ cli_dbgmsg("length in '%s' %ld\n", ++ &b[1], ++ length); ++ + } + } else + cli_warnmsg("Couldn't find '%s'\n", +- b); ++ &b[1]); + } + q--; + } else if(strncmp(q, "Length2 ", 8) == 0) +@@ -428,7 +436,7 @@ + if(calculated_streamlen != real_streamlen) + cli_dbgmsg("cli_pdf: Incorrect Length field in file attempting to recover\n"); + +- cli_dbgmsg("length %d, calculated_streamlen %d isFlate %d isASCII85 %d\n", ++ cli_dbgmsg("length %ld, calculated_streamlen %ld isFlate %d isASCII85 %d\n", + length, calculated_streamlen, + is_flatedecode, is_ascii85decode); + +@@ -460,10 +468,22 @@ + continue; + } + if(ret) { +- real_streamlen = (size_t)ret; ++ char *t; ++ ++ real_streamlen = ret; ++ + /* free unused trailing bytes */ +- tmpbuf = cli_realloc(tmpbuf, ++ t = cli_realloc(tmpbuf, + calculated_streamlen); ++ if(t == NULL) { ++ free(tmpbuf); ++ close(fout); ++ unlink(fullname); ++ rc = CL_EMEM; ++ continue; ++ } ++ tmpbuf = t; ++ + /* + * Note that it will probably be both + * ascii85encoded and flateencoded +@@ -551,6 +571,11 @@ + + cli_dbgmsg("cli_pdf: flatedecode %lu bytes\n", (unsigned long)len); + ++ if(len == 0) { ++ cli_warnmsg("cli_pdf: flatedecode len == 0\n"); ++ return Z_OK; ++ } ++ + #ifdef SAVE_TMP + /* + * Copy the embedded area for debugging, so that if it falls over