diff -u clamav-0.92.1~dfsg2/debian/changelog clamav-0.92.1~dfsg2/debian/changelog --- clamav-0.92.1~dfsg2/debian/changelog +++ clamav-0.92.1~dfsg2/debian/changelog @@ -1,3 +1,26 @@ +clamav (0.92.1~dfsg2-1.1~dapper3.3) dapper-security; urgency=low + + [ Leonel Nunez ] + * SECURITY UPDATE: + * [CVE-2008-5314]: remote attack by sending a specially crafted JPEG + file + libclamav/special.c, libclamav/special.h, libclamav/scanners.c + * [CVE-2008-3912]: libclamav/mbox.c, libclamav/message.c: + out-of-memory null dereferences + * [CVE-2008-3914]: libclamav/htmlnorm.c, libclamav/others.c, + libclamav/sis.c: fd leaks + * [CVE-2008-3913]: freshclam/manager.c: memory leaks + * added 29_CVE-2008-3912.dpatch 30_CVE-2008-3913.dpatch + 32_cli_check_jpeg_exploit.dpatch 31_CVE-2008-3914.dpatch + * References: LP #271546, #304017 + + [ Scott Kitterman ] + * SECURITY UPDATE: re-enable modules disabled due to resolved security + deficiencies: + * References: Clamav svn commit 4550, LP #317923 + + -- Scott Kitterman Sun, 18 Jan 2009 00:13:25 -0500 + clamav (0.92.1~dfsg2-1.1~dapper3.2) dapper-security; urgency=low * SECURITY UPDATE: fix off-by-one heap overflow diff -u clamav-0.92.1~dfsg2/debian/patches/00list clamav-0.92.1~dfsg2/debian/patches/00list --- clamav-0.92.1~dfsg2/debian/patches/00list +++ clamav-0.92.1~dfsg2/debian/patches/00list @@ -8,0 +9,5 @@ +29_CVE-2008-3912.dpatch +30_CVE-2008-3913.dpatch +31_CVE-2008-3914.dpatch +32_cli_check_jpeg_exploit.dpatch +33_dconf_renable.dpatch only in patch2: unchanged: --- clamav-0.92.1~dfsg2.orig/debian/patches/32_cli_check_jpeg_exploit.dpatch +++ clamav-0.92.1~dfsg2/debian/patches/32_cli_check_jpeg_exploit.dpatch @@ -0,0 +1,134 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 32_cli_check_jpeg_exploit.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad clamav-0.92.1~dfsg2~/libclamav/others.h clamav-0.92.1~dfsg2/libclamav/others.h +--- clamav-0.92.1~dfsg2~/libclamav/others.h 2008-02-06 08:47:35.000000000 -0700 ++++ clamav-0.92.1~dfsg2/libclamav/others.h 2008-12-04 12:42:12.000000000 -0700 +@@ -85,6 +85,7 @@ + unsigned int mrec; + unsigned int found_possibly_unwanted; + struct cli_dconf *dconf; ++ unsigned int recursion; + } cli_ctx; + + #define SCAN_ARCHIVE (ctx->options & CL_SCAN_ARCHIVE) +diff -urNad clamav-0.92.1~dfsg2~/libclamav/scanners.c clamav-0.92.1~dfsg2/libclamav/scanners.c +--- clamav-0.92.1~dfsg2~/libclamav/scanners.c 2008-01-28 16:33:06.000000000 -0700 ++++ clamav-0.92.1~dfsg2/libclamav/scanners.c 2008-12-04 12:42:18.000000000 -0700 +@@ -1573,13 +1573,13 @@ + return ret; + } + +-static int cli_scanjpeg(int desc, const char **virname) ++static int cli_scanjpeg(int desc, cli_ctx *ctx) + { + int ret = CL_CLEAN; + +- if(cli_check_jpeg_exploit(desc) == 1) { ++ if(cli_check_jpeg_exploit(desc,ctx) == 1) { + ret = CL_VIRUS; +- *virname = "Exploit.W32.MS04-028"; ++ *ctx->virname = "Exploit.W32.MS04-028"; + } + + return ret; +@@ -2172,7 +2172,7 @@ + + case CL_TYPE_GRAPHICS: + if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG)) +- ret = cli_scanjpeg(desc, ctx->virname); ++ ret = cli_scanjpeg(desc, ctx); + break; + + case CL_TYPE_PDF: +diff -urNad clamav-0.92.1~dfsg2~/libclamav/special.c clamav-0.92.1~dfsg2/libclamav/special.c +--- clamav-0.92.1~dfsg2~/libclamav/special.c 2007-12-06 05:59:04.000000000 -0700 ++++ clamav-0.92.1~dfsg2/libclamav/special.c 2008-12-04 12:42:24.000000000 -0700 +@@ -82,7 +82,7 @@ + return retval; + } + +-static int jpeg_check_photoshop_8bim(int fd) ++static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx) + { + unsigned char bim[5]; + uint16_t id, ntmp; +@@ -137,7 +137,7 @@ + /* Jump past header */ + lseek(fd, 28, SEEK_CUR); + +- retval = cli_check_jpeg_exploit(fd); ++ retval = cli_check_jpeg_exploit(fd,ctx); + if (retval == 1) { + cli_dbgmsg("Exploit found in thumbnail\n"); + } +@@ -146,7 +146,7 @@ + return retval; + } + +-static int jpeg_check_photoshop(int fd) ++static int jpeg_check_photoshop(int fd, cli_ctx *ctx) + { + int retval; + unsigned char buffer[14]; +@@ -163,7 +163,7 @@ + cli_dbgmsg("Found Photoshop segment\n"); + do { + old = lseek(fd, 0, SEEK_CUR); +- retval = jpeg_check_photoshop_8bim(fd); ++ retval = jpeg_check_photoshop_8bim(fd,ctx); + new = lseek(fd, 0, SEEK_CUR); + if(new <= old) + break; +@@ -175,7 +175,7 @@ + return retval; + } + +-int cli_check_jpeg_exploit(int fd) ++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx) + { + unsigned char buffer[4]; + off_t offset; +@@ -183,6 +183,8 @@ + + + cli_dbgmsg("in cli_check_jpeg_exploit()\n"); ++ if(ctx->recursion > ctx->limits->maxreclevel) ++ return CL_EMAXREC; + + if (cli_readn(fd, buffer, 2) != 2) { + return 0; +@@ -226,10 +228,12 @@ + + if (buffer[1] == 0xed) { + /* Possible Photoshop file */ +- if ((retval=jpeg_check_photoshop(fd)) != 0) { ++ ctx->recursion++; ++ retval=jpeg_check_photoshop(fd, ctx); ++ ctx->recursion--; ++ if (retval != 0) + return retval; + } +- } + + if (lseek(fd, offset, SEEK_SET) != offset) { + return -1; +diff -urNad clamav-0.92.1~dfsg2~/libclamav/special.h clamav-0.92.1~dfsg2/libclamav/special.h +--- clamav-0.92.1~dfsg2~/libclamav/special.h 2007-12-06 05:59:04.000000000 -0700 ++++ clamav-0.92.1~dfsg2/libclamav/special.h 2008-12-04 12:42:29.000000000 -0700 +@@ -20,8 +20,10 @@ + #ifndef __SPECIAL_H + #define __SPECIAL_H + ++#include "others.h" ++ + int cli_check_mydoom_log(int desc, const char **virname); +-int cli_check_jpeg_exploit(int fd); ++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx); + int cli_check_riff_exploit(int fd); + + #endif only in patch2: unchanged: --- clamav-0.92.1~dfsg2.orig/debian/patches/30_CVE-2008-3913.dpatch +++ clamav-0.92.1~dfsg2/debian/patches/30_CVE-2008-3913.dpatch @@ -0,0 +1,68 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 30_CVE-2008-3913.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad clamav-0.92.1~dfsg2~/freshclam/manager.c clamav-0.92.1~dfsg2/freshclam/manager.c +--- clamav-0.92.1~dfsg2~/freshclam/manager.c 2008-01-28 14:19:29.000000000 -0700 ++++ clamav-0.92.1~dfsg2/freshclam/manager.c 2008-12-04 12:37:47.000000000 -0700 +@@ -323,6 +323,7 @@ + buf[len] = '\0'; + auth = malloc(strlen(buf) + 30); + if(!auth) { ++ free(buf); + logg("!proxyauth: Can't allocate memory for 'authorization'\n"); + return NULL; + } +@@ -355,8 +356,10 @@ + + if(user) { + authorization = proxyauth(user, pass); +- if(!authorization) ++ if(!authorization){ ++ free(remotename); + return NULL; ++ } + } + } + +@@ -520,8 +523,10 @@ + + if(user) { + authorization = proxyauth(user, pass); +- if(!authorization) ++ if(!authorization){ ++ free(remotename); + return 75; /* FIXME */ ++ } + } + } + +@@ -544,6 +549,12 @@ + "Connection: close\r\n" + "\r\n", (remotename != NULL) ? remotename : "", srcfile, hostname, (authorization != NULL) ? authorization : "", agent); + ++ if(remotename) ++ free(remotename); ++ ++ if(authorization) ++ free(authorization); ++ + memset(ipaddr, 0, sizeof(ipaddr)); + + if(ip[0]) /* use ip to connect */ +@@ -565,12 +576,6 @@ + return 52; + } + +- if(remotename) +- free(remotename); +- +- if(authorization) +- free(authorization); +- + /* read http headers */ + ch = buffer; + i = 0; only in patch2: unchanged: --- clamav-0.92.1~dfsg2.orig/debian/patches/33_dconf_renable.dpatch +++ clamav-0.92.1~dfsg2/debian/patches/33_dconf_renable.dpatch @@ -0,0 +1,76 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 33_dconf_renable.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Clamav svn 4550 - separate engine capability level and security patch +## DP: levels so disabled modules can be re-enabled after security problems +## DP: are fixeds. Set CL_FLEVEL_DCONF to match 0.94.2. Leave CL_FLEVEL at +## DP: the same level as 0.92.1. + +@DPATCH@ +diff -urNad clamav-0.92.1~dfsg2~/ChangeLog clamav-0.92.1~dfsg2/ChangeLog +--- clamav-0.92.1~dfsg2~/ChangeLog 2008-02-11 13:32:03.000000000 -0500 ++++ clamav-0.92.1~dfsg2/ChangeLog 2009-01-16 01:48:31.000000000 -0500 +@@ -1,3 +1,7 @@ ++Wed Dec 10 20:09:00 CET 2008 (tk) ++--------------------------------- ++ * libclamav: add CL_FLEVEL_DCONF (bb#1313) ++ + Mon Feb 11 19:32:02 CET 2008 + ---------------------------- + * libclamav/mew.c: fix possible heap corruption (bb#806) +diff -urNad clamav-0.92.1~dfsg2~/libclamav/dconf.c clamav-0.92.1~dfsg2/libclamav/dconf.c +--- clamav-0.92.1~dfsg2~/libclamav/dconf.c 2007-12-12 18:15:19.000000000 -0500 ++++ clamav-0.92.1~dfsg2/libclamav/dconf.c 2009-01-16 01:57:26.000000000 -0500 +@@ -233,7 +233,7 @@ + return 0; + } + +- if((unsigned int) atoi(pt) > cl_retflevel()) { ++ if((unsigned int) atoi(pt) > CL_FLEVEL_DCONF) { + free(pt); + return 0; + } +@@ -246,7 +246,7 @@ + return 0; + } + +- if((unsigned int) atoi(pt) < cl_retflevel()) { ++ if((unsigned int) atoi(pt) < CL_FLEVEL_DCONF) { + free(pt); + return 0; + } +diff -urNad clamav-0.92.1~dfsg2~/libclamav/others.c clamav-0.92.1~dfsg2/libclamav/others.c +--- clamav-0.92.1~dfsg2~/libclamav/others.c 2009-01-16 01:47:00.000000000 -0500 ++++ clamav-0.92.1~dfsg2/libclamav/others.c 2009-01-16 01:50:34.000000000 -0500 +@@ -85,8 +85,6 @@ + #define P_tmpdir "C:\\WINDOWS\\TEMP" + #endif + +-#define CL_FLEVEL 26 /* don't touch it */ +- + uint8_t cli_debug_flag = 0, cli_leavetemps_flag = 0; + + static unsigned char name_salt[16] = { 16, 38, 97, 12, 8, 4, 72, 196, 217, 144, 33, 124, 18, 11, 17, 253 }; +diff -urNad clamav-0.92.1~dfsg2~/libclamav/others.h clamav-0.92.1~dfsg2/libclamav/others.h +--- clamav-0.92.1~dfsg2~/libclamav/others.h 2009-01-16 01:47:00.000000000 -0500 ++++ clamav-0.92.1~dfsg2/libclamav/others.h 2009-01-16 02:01:31.000000000 -0500 +@@ -30,6 +30,18 @@ + #include "clamav.h" + #include "dconf.h" + ++/* ++ * CL_FLEVEL is the signature f-level specific to the current code and ++ * should never be modified ++ * CL_FLEVEL_DCONF is used in the dconf module and can be bumped by ++ * distribution packagers provided they fix *all* security issues found ++ * in the old versions of ClamAV. Updating CL_FLEVEL_DCONF will result ++ * in re-enabling affected modules. ++ */ ++ ++#define CL_FLEVEL 26 ++#define CL_FLEVEL_DCONF 38 ++ + extern uint8_t cli_debug_flag, cli_leavetemps_flag; + + /* only in patch2: unchanged: --- clamav-0.92.1~dfsg2.orig/debian/patches/29_CVE-2008-3912.dpatch +++ clamav-0.92.1~dfsg2/debian/patches/29_CVE-2008-3912.dpatch @@ -0,0 +1,93 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 29_CVE-2008-3912.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad clamav-0.92.1~dfsg2~/libclamav/mbox.c clamav-0.92.1~dfsg2/libclamav/mbox.c +--- clamav-0.92.1~dfsg2~/libclamav/mbox.c 2007-12-12 16:25:59.000000000 -0700 ++++ clamav-0.92.1~dfsg2/libclamav/mbox.c 2008-12-04 12:34:07.000000000 -0700 +@@ -1439,6 +1439,8 @@ + break; + } + } ++ if(body->isTruncated && retcode == CL_SUCCESS) ++ retcode = CL_EMEM; + + /* + * Tidy up and quit +@@ -1602,6 +1604,11 @@ + } + fullline = cli_strdup(line); + fulllinelength = strlen(line) + 1; ++ if(!fullline) { ++ if(ret) ++ ret->isTruncated = TRUE; ++ break; ++ } + } else if(line != NULL) { + fulllinelength += strlen(line); + ptr = cli_realloc(fullline, fulllinelength); +diff -urNad clamav-0.92.1~dfsg2~/libclamav/message.c clamav-0.92.1~dfsg2/libclamav/message.c +--- clamav-0.92.1~dfsg2~/libclamav/message.c 2007-12-06 05:59:04.000000000 -0700 ++++ clamav-0.92.1~dfsg2/libclamav/message.c 2008-12-04 12:34:13.000000000 -0700 +@@ -1761,7 +1761,7 @@ + for(t_line = messageGetBody(m); t_line; t_line = t_line->t_next) { + if(first == NULL) + first = last = cli_malloc(sizeof(text)); +- else { ++ else if (last) { + last->t_next = cli_malloc(sizeof(text)); + last = last->t_next; + } +@@ -1822,7 +1822,9 @@ + case UUENCODE: + cli_errmsg("messageToText: Unexpected attempt to handle uuencoded file - report to http://bugs.clamav.net\n"); + if(first) { +- last->t_next = NULL; ++ if(last) ++ last->t_next = NULL; ++ + textDestroy(first); + } + return NULL; +@@ -1832,7 +1834,8 @@ + if(t_line == NULL) { + /*cli_warnmsg("YENCODED attachment is missing begin statement\n");*/ + if(first) { +- last->t_next = NULL; ++ if(last) ++ last->t_next = NULL; + textDestroy(first); + } + return NULL; +@@ -1868,7 +1871,7 @@ + + if(first == NULL) + first = last = cli_malloc(sizeof(text)); +- else { ++ else if (last){ + last->t_next = cli_malloc(sizeof(text)); + last = last->t_next; + } +@@ -1906,7 +1909,7 @@ + if(decode(m, NULL, data, base64, FALSE) && data[0]) { + if(first == NULL) + first = last = cli_malloc(sizeof(text)); +- else { ++ else if (last) { + last->t_next = cli_malloc(sizeof(text)); + last = last->t_next; + } +diff -urNad clamav-0.92.1~dfsg2~/libclamav/message.h clamav-0.92.1~dfsg2/libclamav/message.h +--- clamav-0.92.1~dfsg2~/libclamav/message.h 2007-12-06 05:59:04.000000000 -0700 ++++ clamav-0.92.1~dfsg2/libclamav/message.h 2008-12-04 12:34:33.000000000 -0700 +@@ -45,6 +45,7 @@ + text *yenc; /* start of a yEnc message */ + text *encoding; /* is the non MIME message encoded? */ + const text *dedupedThisFar; ++ unsigned int isTruncated : 1; + } message; + + message *messageCreate(void); only in patch2: unchanged: --- clamav-0.92.1~dfsg2.orig/debian/patches/31_CVE-2008-3914.dpatch +++ clamav-0.92.1~dfsg2/debian/patches/31_CVE-2008-3914.dpatch @@ -0,0 +1,79 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 31_CVE-2008-3914.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad clamav-0.92.1~dfsg2~/libclamav/htmlnorm.c clamav-0.92.1~dfsg2/libclamav/htmlnorm.c +--- clamav-0.92.1~dfsg2~/libclamav/htmlnorm.c 2007-12-06 07:07:31.000000000 -0700 ++++ clamav-0.92.1~dfsg2/libclamav/htmlnorm.c 2008-12-04 12:41:09.000000000 -0700 +@@ -1364,7 +1364,7 @@ + cli_dbgmsg("RFC2397 data file: %s\n", tmp_file); + file_tmp_o1->fd = open(tmp_file, O_WRONLY|O_CREAT|O_TRUNC, S_IWUSR|S_IRUSR); + free(tmp_file); +- if (!file_tmp_o1->fd) { ++ if (file_tmp_o1->fd < 0) { + cli_dbgmsg("open failed: %s\n", filename); + free(file_tmp_o1); + goto abort; +@@ -1520,17 +1520,20 @@ + } + if (file_buff_o1) { + html_output_flush(file_buff_o1); +- close(file_buff_o1->fd); ++ if(file_buff_o1->fd != -1) ++ close(file_buff_o1->fd); + free(file_buff_o1); + } + if (file_buff_o2) { + html_output_flush(file_buff_o2); +- close(file_buff_o2->fd); ++ if(file_buff_o2->fd != -1) ++ close(file_buff_o2->fd); + free(file_buff_o2); + } + if (file_buff_script) { + html_output_flush(file_buff_script); +- close(file_buff_script->fd); ++ if(file_buff_script->fd != -1) ++ close(file_buff_script->fd); + free(file_buff_script); + } + return retval; +@@ -1600,7 +1603,7 @@ + file_buff.fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, S_IWUSR|S_IRUSR); + file_buff.length = 0; + +- if (!file_buff.fd) { ++ if (file_buff.fd < 0) { + cli_dbgmsg("open failed: %s\n", filename); + fclose(stream_in); + return FALSE; +diff -urNad clamav-0.92.1~dfsg2~/libclamav/others.c clamav-0.92.1~dfsg2/libclamav/others.c +--- clamav-0.92.1~dfsg2~/libclamav/others.c 2008-02-06 08:49:25.000000000 -0700 ++++ clamav-0.92.1~dfsg2/libclamav/others.c 2008-12-04 12:41:17.000000000 -0700 +@@ -753,8 +753,11 @@ + return -1; + } + +- if(!(buffer = cli_malloc(FILEBUFF))) ++ if(!(buffer = cli_malloc(FILEBUFF))){ ++ close(s); ++ close(d); + return -1; ++ } + + while((bytes = cli_readn(s, buffer, FILEBUFF)) > 0) + cli_writen(d, buffer, bytes); +diff -urNad clamav-0.92.1~dfsg2~/libclamav/sis.c clamav-0.92.1~dfsg2/libclamav/sis.c +--- clamav-0.92.1~dfsg2~/libclamav/sis.c 2007-12-10 07:46:29.000000000 -0700 ++++ clamav-0.92.1~dfsg2/libclamav/sis.c 2008-12-04 12:41:25.000000000 -0700 +@@ -323,6 +323,7 @@ + cli_errmsg("SIS: sis_extract_simple: Can't write %d bytes to %s\n", filelen, fname); + free(subdir); + free(fname); ++ close(desc); + if(compressed) + free(buff); + close(desc);