Upcoming clamav release with security fixes

Bug #673654 reported by Scott Kitterman on 2010-11-10
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Medium
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Medium
Unassigned

Bug Description

Binary package hint: clamav

From #debian-clamav:

<aCaB> guys it's freeze time again
<aCaB> despite the 0.97 name it's pretty much of a bugfix release
<aCaB> 2 off by one's, possibly exploitable
<aCaB> the major version bump has got to do with windoze sport rather than feature reachness
<aCaB> anyway we just froze
<aCaB> regression will take about a week

This is a public channel, but I'm treating it as still private since everyone on the channel is known and it's not publically logged.

Scott Kitterman (kitterman) wrote :

[10:04:15] <aCaB> small update
[10:04:35] <aCaB> plans about 0.97 with the windoze crap went poof
[10:04:53] <aCaB> so we rel 0.96.5 on the 29th
[10:05:29] <mt> like one week from now?
[10:05:34] <aCaB> right
[10:05:53] <aCaB> security stuff
[10:05:58] <aCaB> but no major diffs
[10:06:07] <mt> ah, I was just about to ask for changes
[10:06:12] <mt> critical changes
[10:06:19] <aCaB> none
[10:06:25] <aCaB> in the functionality
[10:06:34] <aCaB> but yep at least 2 are security

Scott Kitterman (kitterman) wrote :

0.95.5 is out now. Having a look at Git to see if I can find these.

visibility: private → public
Scott Kitterman (kitterman) wrote :

git clone git://git.clamav.net/git/clamav-devel

And then look at commits 019f1955194360600ecf0644959ceca6734c2d7b and 1f3db7f074995bd4e1d0183b2db8b1c472d2f41b - These are the ones that likely have security implications.

Serge Hallyn (serge-hallyn) wrote :

Agree, these look a bit scary.

Changed in clamav (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Scott Kitterman (kitterman) wrote :

Natty fix.

Changed in clamav (Ubuntu):
status: Confirmed → Fix Committed
tags: added: patch
Scott Kitterman (kitterman) wrote :

<aCaB> the text should be something like that in the README
<aCaB> sort of
<aCaB> 0.96.5 resolves two issues:
<aCaB> an out of bound read in the pdf module and an of by one in the icon parser
<aCaB> vulnerability: buffer overflow / dos

Marc Deslauriers (mdeslaur) wrote :

> "1) Multiple errors within the processing of PDF files can be
> exploited to e.g. cause a crash.

Please use CVE-2010-4260

>
> 2) An off-by-one error within the "icon_cb()" function can be
> exploited to cause a memory corruption."
>

Please use CVE-2010-4261

Scott Kitterman (kitterman) wrote :

This is already fixed in natty.

Serge Hallyn (serge-hallyn) wrote :
Serge Hallyn (serge-hallyn) wrote :
Serge Hallyn (serge-hallyn) wrote :

Does not apply to karmic (or hardy or dapper, of course).

Scott Kitterman (kitterman) wrote :

And backports is already fixed for all releases.

Changed in clamav (Ubuntu Lucid):
status: New → Triaged
Changed in clamav (Ubuntu Maverick):
status: New → Triaged
Changed in clamav (Ubuntu Natty):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) wrote :

Hi Serge,

I've gone ahead and uploaded clamav packages to the ubuntu-security-proposed ppa at https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/ ; please test and report feedback here.

In doing so, I ran in to a few issues with your debdiff, mostly having to do with your changelog entries:

1) security fixes for RELEASE need to be targeted for the RELEASE-security pocket (e.g. maverick-security rather than just maverick) rather than just RELEASE as you would for the release under development. (Similarly, for non-security Stable Release Updates, you'd target to the RELEASE-proposed pocket; they get later copied once approved to the RELEASE-updates pocket.)

2) the maverick debdiff was against the version in maverick, not the version in maverick-updates, and thus failed to apply. When performing security updates, our policy is to apply them on top of the latest existing versions in RELEASE-security or RELEASE-updates, whichever is higher. I also adjusted the versioning. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for more information about our policies here.

3) I adjusted your changelog entry to include the CVE identifiers, a reference to this bug report, and direct URL references to the cherry-picked upstream patches to ease people researching the issue based on the changelog and debdiff.

Thanks!

Changed in clamav (Ubuntu Lucid):
status: Triaged → Fix Committed
Changed in clamav (Ubuntu Maverick):
status: Triaged → Fix Committed
Steve Beattie (sbeattie) wrote :

Also, it would be great if there are proof of concept documents for these issues that testcases based on them be added to the lp:qa-regression-testing tests for clamav.py (i.e. http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/annotate/head%3A/scripts/test-clamav.py )

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.96.3+dfsg-2ubuntu1.0.10.04.2

---------------
clamav (0.96.3+dfsg-2ubuntu1.0.10.04.2) lucid-security; urgency=low

  * SECURITY UPDATE: Backport security fixes from 0.96.5 (LP: #673654):
    - (simple port from Scott Kitterman's debdiff for natty)
    - libclamav/pdf.c: fix crashes
    - http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff_plain;h=019f1955194360600ecf0644959ceca6734c2d7b
    - CVE-2010-4260, CVE-2010-4479
    - libclamav/pe_icons.c: off by one
    - http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff_plain;h=1f3db7f074995bd4e1d0183b2db8b1c472d2f41b
    - CVE-2010-4261
 -- Serge Hallyn <email address hidden> Mon, 06 Dec 2010 15:50:03 +0000

Changed in clamav (Ubuntu Lucid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.96.3+dfsg-2ubuntu1.2

---------------
clamav (0.96.3+dfsg-2ubuntu1.2) maverick-security; urgency=low

  * SECURITY UPDATE: Backport security fixes from 0.96.5 (LP: #673654):
    - (simple port from Scott Kitterman's debdiff for natty)
    - libclamav/pdf.c: fix crashes
    - http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff_plain;h=019f1955194360600ecf0644959ceca6734c2d7b
    - CVE-2010-4260, CVE-2010-4479
    - libclamav/pe_icons.c: off by one
    - http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff_plain;h=1f3db7f074995bd4e1d0183b2db8b1c472d2f41b
    - CVE-2010-4261
 -- Serge Hallyn <email address hidden> Mon, 06 Dec 2010 08:19:13 -0600

Changed in clamav (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers