diff -u clamav-0.94.dfsg.2/configure clamav-0.94.dfsg.2/configure --- clamav-0.94.dfsg.2/configure +++ clamav-0.94.dfsg.2/configure @@ -12427,8 +12427,8 @@ extern void abort(void); #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) + ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) int crashtest() { diff -u clamav-0.94.dfsg.2/configure.in clamav-0.94.dfsg.2/configure.in --- clamav-0.94.dfsg.2/configure.in +++ clamav-0.94.dfsg.2/configure.in @@ -185,8 +185,8 @@ extern void abort(void); #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) + ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) int crashtest() { diff -u clamav-0.94.dfsg.2/libclamav/others.h clamav-0.94.dfsg.2/libclamav/others.h --- clamav-0.94.dfsg.2/libclamav/others.h +++ clamav-0.94.dfsg.2/libclamav/others.h @@ -42,7 +42,7 @@ */ #define CL_FLEVEL 38 -#define CL_FLEVEL_DCONF 41 +#define CL_FLEVEL_DCONF 42 extern uint8_t cli_debug_flag, cli_leavetemps_flag; @@ -55,13 +55,14 @@ * * The macro can be used to protect against wraps. */ -#define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) - -#define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size) \ - (bb_size > 0 && sb_size >= 0 && sb_size <= bb_size \ - && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb) +#define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ + ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) + +#define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size) \ + ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ + && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size))) + #define CLI_MAX_ALLOCATION 184549376 diff -u clamav-0.94.dfsg.2/debian/changelog clamav-0.94.dfsg.2/debian/changelog --- clamav-0.94.dfsg.2/debian/changelog +++ clamav-0.94.dfsg.2/debian/changelog @@ -1,7 +1,24 @@ +clamav (0.94.dfsg.2-1ubuntu0.3) intrepid-security; urgency=high + + * SECURITY UPDATE: (LP: #360502) + * References + * libclamav/others.h: harden CLI_ISCONTAINED macro (bb#1552) (Denial of + service) + * Note: clamav-milter bugs such as 1499, 1522, 1524, and 1531 are not + relevant to clamav 0.94.2 and earlier versions + * Note: The code related to clamav bug 1553 was substantially rewritten in + 0.95, so it is also not relevant to clamav 0.94.2 and earlier versions + * Bump CL_FLEVEL_DCONF to 0.95.1 level since relevant security patches are + applied + * Added CVE references for 0.94.dfsg.2-1ubuntu0.2 now that they've been + assigned + + -- Scott Kitterman Mon, 13 Apr 2009 09:34:33 -0400 + clamav (0.94.dfsg.2-1ubuntu0.2) intrepid-security; urgency=high * SECURITY UPDATE (LP: #354190): - * References Clamav #1335, #1462 + * References Clamav #1335, #1462, CVE 2008-6680, CVE 2009-1270 * libclamav/pe.c: division by zero with --detect-broken (bb#1335) (Denial of service) * libclamav/untar.c: infloop in tar.c (bb#1462) (Denial of Service)