diff -u clamav-0.91.2/debian/patches/00list clamav-0.91.2/debian/patches/00list --- clamav-0.91.2/debian/patches/00list +++ clamav-0.91.2/debian/patches/00list @@ -5,0 +6,2 @@ +26_mspack.c.CVE-2007-6336.dpatch +27_pe.c.CVE-2007-6335.dpatch diff -u clamav-0.91.2/debian/changelog clamav-0.91.2/debian/changelog --- clamav-0.91.2/debian/changelog +++ clamav-0.91.2/debian/changelog @@ -1,3 +1,11 @@ +clamav (0.91.2-3ubuntu3) gutsy; urgency=low + + * SECURITY UPDATE: Remote code execution + * [CVE-2007-6336]: libclamav/mspack.c: Off-by-one error in LZX_READ_HUFFSYM + * [CVE-2007-6335]: libclamav/pe.c: MEW PE File Integer Overflow + + -- Leonel Nunez Wed, 19 Dec 2007 12:54:38 -0700 + clamav (0.91.2-3ubuntu2) gutsy; urgency=low * Correct Postfix socket location for clamav-milter in only in patch2: unchanged: --- clamav-0.91.2.orig/debian/patches/26_mspack.c.CVE-2007-6336.dpatch +++ clamav-0.91.2/debian/patches/26_mspack.c.CVE-2007-6336.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 26_mspack.c.CVE-2007-6336.dpatch by Leonel Nunez +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad clamav-0.91.2~/libclamav/mspack.c clamav-0.91.2/libclamav/mspack.c +--- clamav-0.91.2~/libclamav/mspack.c 2007-07-10 15:04:54.000000000 -0600 ++++ clamav-0.91.2/libclamav/mspack.c 2007-12-19 12:46:21.000000000 -0700 +@@ -734,7 +734,7 @@ + + #define LZX_ENSURE_BITS(nbits) \ + while (bits_left < (nbits)) { \ +- if (i_ptr >= i_end) { \ ++ if (i_ptr + 1 >= i_end) { \ + if (lzx_read_input(lzx)) return lzx->error; \ + i_ptr = lzx->i_ptr; \ + i_end = lzx->i_end; \ only in patch2: unchanged: --- clamav-0.91.2.orig/debian/patches/27_pe.c.CVE-2007-6335.dpatch +++ clamav-0.91.2/debian/patches/27_pe.c.CVE-2007-6335.dpatch @@ -0,0 +1,49 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 27_pe.c.CVE-2007-6335.dpatch by Leonel Nunez +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad clamav-0.91.2~/libclamav/pe.c clamav-0.91.2/libclamav/pe.c +--- clamav-0.91.2~/libclamav/pe.c 2007-06-19 08:34:18.000000000 -0600 ++++ clamav-0.91.2/libclamav/pe.c 2007-12-19 12:50:49.000000000 -0700 +@@ -80,6 +80,19 @@ + #define PEALIGN(o,a) (((a))?(((o)/(a))*(a)):(o)) + #define PESALIGN(o,a) (((a))?(((o)/(a)+((o)%(a)!=0))*(a)):(o)) + ++#define CLI_UNPSIZELIMITS(NAME,CHK) \ ++if(ctx->limits && ctx->limits->maxfilesize && (CHK) > ctx->limits->maxfilesize) { \ ++ cli_dbgmsg(NAME": Sizes exceeded (%lu > %lu)\n", (CHK), ctx->limits->maxfilesize); \ ++ free(section_hdr); \ ++ free(exe_sections); \ ++ if(BLOCKMAX) { \ ++ *ctx->virname = "PE."NAME".ExceededFileSize"; \ ++ return CL_VIRUS; \ ++ } else { \ ++ return CL_CLEAN; \ ++ } \ ++} ++ + extern short cli_leavetemps_flag; + + struct offset_list { +@@ -1153,16 +1166,8 @@ + dsize = exe_sections[i].vsz; + + cli_dbgmsg("MEW: ssize %08x dsize %08x offdiff: %08x\n", ssize, dsize, offdiff); +- if(ctx->limits && ctx->limits->maxfilesize && (ssize + dsize > ctx->limits->maxfilesize || exe_sections[i + 1].rsz > ctx->limits->maxfilesize)) { +- cli_dbgmsg("MEW: Sizes exceeded (ssize: %u, dsize: %u, max: %lu)\n", ssize, dsize , ctx->limits->maxfilesize); +- free(exe_sections); +- if(BLOCKMAX) { +- *ctx->virname = "PE.MEW.ExceededFileSize"; +- return CL_VIRUS; +- } else { +- return CL_CLEAN; +- } +- } ++ CLI_UNPSIZELIMITS("MEW", MAX(ssize, dsize)); ++ CLI_UNPSIZELIMITS("MEW", MAX(ssize + dsize, exe_sections[i + 1].rsz)); + + /* allocate needed buffer */ + if (!(src = cli_calloc (ssize + dsize, sizeof(char)))) {