Recursive stack overflow in jpeg parsing code

Bug #304017 reported by Scott Kitterman
256
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
High
Scott Kitterman
Dapper
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
High
Scott Kitterman
Jaunty
High
Scott Kitterman

Bug Description

Binary package hint: clamav

There is a recursive stack overflow in clamav 0.93.3 and 0.94 (and probably
older versions) in the jpeg parsing code.
it scan's the jpeg file, and if there is a thumbnail, it'll scan that too. the
thumbnail itself is just another jpeg
file and the same jpeg scanning function gets called without checking any kind
of recurising limit. this can easely
lead to a recurisive stack overflow. the vulnerable code looks like:
clamav-0.94\libclamav\special.c
int cli_check_jpeg_exploit(int fd) <-- fd to jpeg file

Fixed upstream in 0.94.2

Revision history for this message
Scott Kitterman (kitterman) wrote :

There is no CVE. Launchpad is being difficult and won't let me link the upstream bug without doing additional paperwork, so here it is:

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1266

Changed in clamav:
assignee: nobody → kitterman
importance: Undecided → High
status: New → In Progress
assignee: nobody → kitterman
importance: Undecided → High
status: New → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote :

Package tested. Waiting for Ubuntu security to upload it.

Revision history for this message
Kees Cook (kees) wrote :

Building in security queue now.

Changed in clamav:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.94.dfsg.2-1ubuntu0.1

---------------
clamav (0.94.dfsg.2-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: (LP: #304017)
    - Fix recursive stack overflow in jpeg parsing code
  * Other changes:
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor
    - Enable upstream test suite in debian/rules

 -- Scott Kitterman <email address hidden> Mon, 01 Dec 2008 13:11:52 -0500

Changed in clamav:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.92.1~dfsg2-1.1ubuntu0.4

---------------
clamav (0.92.1~dfsg2-1.1ubuntu0.4) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via out-of-memory null dereferences,
    memory leaks, and file descriptor leaks:
    - 29_CVE-2008-3912.dpatch: backported upstream fixes.
    - 30_CVE-2008-3913.dpatch: backported upstream fixes.
    - 31_CVE-2008-3914.dpatch: backported upstream fixes.
    - LP: #271546
  * SECURITY UPDATE: denial of service via crafted JPEG file
    - 32_cli_check_jpeg_exploit.dpatch: backported upstream fixes.
    - CVE-2008-5314, LP: #304017

 -- Leonel Nunez <email address hidden> Thu, 04 Dec 2008 10:47:40 -0700

Changed in clamav:
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (8.3 KiB)

This bug was fixed in the package clamav - 0.94.dfsg.2-1ubuntu0.1~dapper1

---------------
clamav (0.94.dfsg.2-1ubuntu0.1~dapper1) dapper-backports; urgency=low

  * Source backport for Dapper (LP: #335724)
    - Drop lsb status functions
      - Revert status_of_proc changes from maintainer scripts
      - Drop versioned depends of lsb-base
    - Switch back to old style dpkg-dev Source-Version
    - Drop maintainer change
    - Build with GCC 4.1
    - Remove leading comments from translation templates due to tool
      shortfalls on Dapper

clamav (0.94.dfsg.2-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: (LP: #304017)
    - Fix recursive stack overflow in jpeg parsing code
  * Other changes:
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor
    - Enable upstream test suite in debian/rules

clamav (0.94.dfsg.2-1) unstable; urgency=low

  [ Stephen Gran ]
  * New upstream version

  [ Michael Meskes ]
  * Removed unused debconf templates and unfuzzied all translations.

  [ Michael Tautschnig ]
  * Removed --unzip from clampipe script (closes: #506055)
  * Moved clamav-milter specific stuff from its specific README.Debian to
    clamav-global one.
  * Sync start of clamav-milter with clamav-daemon when clamav-daemon is being
    upgraded (closes: #309067)
  * The TemporaryDirectory option has been added long ago, no need for hacks
    via clamav-daemon.default anymore (closes: #253080)

clamav (0.94.dfsg.1-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: (LP: #296704)
    - Fix off-by-one heap overflow
  * Other changes:
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor
  * Update apparmor profile for clamd to work with TCP sockets (LP: #288942)

clamav (0.94.dfsg.1-1) unstable; urgency=low

...

Read more...

Changed in clamav:
status: New → Fix Released
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in clamav (Ubuntu Gutsy):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.