ClamAV Upack Processing Buffer Overflow Vulnerability

A fix for this is uploaded to Debian and I've asked to have it sync'ed for Hardy. We'll also get updates done for the earlier releases as needed.

Sync'ed for Hardy. More issues than just the one initially described:

 clamav (0.92.1~dfsg2-1) unstable; urgency=high
 .
   * libclamav/pe.c: possible integer overflow in wwpack
   * [CVE-2008-1100]: libclamav/pe.c: possible integer overflow in upack
   * [CVE-2008-1387]: libclamav/spin.c: possible integer overflow
   * libclamav/unarj.c: DoS in unarj

Dapper is definitely affected, need to look at Edgy/Fiesty/Gutsy.

First I'm having the Hardy package put in dapper-backports, see Bug #219031. Then we'll either patch the Dapper package or copy the new package into dapper-updates.

Uploaded to dapper-backports.

Full dapper-updates/dapper-backports debdiff attached. This would bring Dapper up to match Hardy. Note that the entire non-security difference between the versions (the non-security related changes from upstream's 0.92.1) has been running in Hardy since 2008-03-10 without issue.

It turns out the changes in 0.92.1~dfsg2-1 were not complete for CVE 2008-1833. 0.92.1~dfsg2-1.1 in hardy and dapper-backports fixes that. Updates are in ubuntu-clamav PPA too.

Won't Fix for Edgy due to Edgy end of life.

I took a quick look at the dapper-updates to dapper-backports debdiff, and while I haven't tested the dapper-backports release, it seems like a good idea to update dapper to this release as there are a number of security fixes and reliability fixes, and the other updates seemed fairly small. clamav is difficult to maintain in general, and if both LTS releases use the same codebase, that would greatly help maintaining clamav in the long run.

Yes. I think it's the best course. We have 0.92.1 in Hardy and all the
backports repositories. Given 0.92 to 0.92.1 caused no problems in Hardy I
think it's very low risk.

I'd like to pursue a similar course for Feisty and Gutsy, although the diff
there is rather larger. It is still much less than updating Dapper was
(the original 0.88.2 to 0.92 jump) and that went pretty smoothly.

Fixed package copied from dapper-backports to dapper-updates.

Is Ubuntu's clamav also affected by CVE-2008-0314 (DSA 1549-1 [http://www.debian.org/security/2008/dsa-1549])?

Read the DSA. Look at the version it's fixed in in Debian Unstable. Look what versions we have.

I did that. (According to Launchpad) clamav in dapper-security is at version 0.92~dfsg-2~dapper1ubuntu0.2, in dapper-updates it's at 0.92.1~dfsg2-1.1~dapper1, DSA 1549-1 is about 0.92.1~dfsg2-1 for Sid. But since CVE-2008-0314 isn't mentioned in the (Ubuntu) changelogs, I'd dared to asked that question just to make sure that nothing slipped through.

Currently it's fixed in Hardy/Intrepid in the regular release pocket.

For Feisty/Gutsy it's fixed in -backports, but not yet in -security.

For Dapper it's fixed in -updates, but not yet in -security.

Work is in progress to get all that resolved.

Fiesty/Gutsy backports copied to -updates, so fixed in all releases.