Ubuntu
clamav package

Upcoming clamav release with security fixes

Bug #673654 reported by Scott Kitterman
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
Natty
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: clamav

From #debian-clamav:

<aCaB> guys it's freeze time again
<aCaB> despite the 0.97 name it's pretty much of a bugfix release
<aCaB> 2 off by one's, possibly exploitable
<aCaB> the major version bump has got to do with windoze sport rather than feature reachness
<aCaB> anyway we just froze
<aCaB> regression will take about a week

This is a public channel, but I'm treating it as still private since everyone on the channel is known and it's not publically logged.

Tags: patch
Revision history for this message
Scott Kitterman (kitterman) wrote :

[10:04:15] <aCaB> small update
[10:04:35] <aCaB> plans about 0.97 with the windoze crap went poof
[10:04:53] <aCaB> so we rel 0.96.5 on the 29th
[10:05:29] <mt> like one week from now?
[10:05:34] <aCaB> right
[10:05:53] <aCaB> security stuff
[10:05:58] <aCaB> but no major diffs
[10:06:07] <mt> ah, I was just about to ask for changes
[10:06:12] <mt> critical changes
[10:06:19] <aCaB> none
[10:06:25] <aCaB> in the functionality
[10:06:34] <aCaB> but yep at least 2 are security

Revision history for this message
Scott Kitterman (kitterman) wrote :

0.95.5 is out now. Having a look at Git to see if I can find these.

visibility: private → public
Revision history for this message
Scott Kitterman (kitterman) wrote :

git clone git://git.clamav.net/git/clamav-devel

And then look at commits 019f1955194360600ecf0644959ceca6734c2d7b and 1f3db7f074995bd4e1d0183b2db8b1c472d2f41b - These are the ones that likely have security implications.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Agree, these look a bit scary.

Changed in clamav (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Scott Kitterman (kitterman) wrote :

Natty fix.

Changed in clamav (Ubuntu):
status: Confirmed → Fix Committed
Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Scott Kitterman (kitterman) wrote :

<aCaB> the text should be something like that in the README
<aCaB> sort of
<aCaB> 0.96.5 resolves two issues:
<aCaB> an out of bound read in the pdf module and an of by one in the icon parser
<aCaB> vulnerability: buffer overflow / dos

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

> "1) Multiple errors within the processing of PDF files can be
> exploited to e.g. cause a crash.

Please use CVE-2010-4260

>
> 2) An off-by-one error within the "icon_cb()" function can be
> exploited to cause a memory corruption."
>

Please use CVE-2010-4261

Revision history for this message
Scott Kitterman (kitterman) wrote :

This is already fixed in natty.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Does not apply to karmic (or hardy or dapper, of course).

Revision history for this message
Scott Kitterman (kitterman) wrote :

And backports is already fixed for all releases.

Changed in clamav (Ubuntu Lucid):
status: New → Triaged
Changed in clamav (Ubuntu Maverick):
status: New → Triaged
Changed in clamav (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Serge,

I've gone ahead and uploaded clamav packages to the ubuntu-security-proposed ppa at https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/ ; please test and report feedback here.

In doing so, I ran in to a few issues with your debdiff, mostly having to do with your changelog entries:

1) security fixes for RELEASE need to be targeted for the RELEASE-security pocket (e.g. maverick-security rather than just maverick) rather than just RELEASE as you would for the release under development. (Similarly, for non-security Stable Release Updates, you'd target to the RELEASE-proposed pocket; they get later copied once approved to the RELEASE-updates pocket.)

2) the maverick debdiff was against the version in maverick, not the version in maverick-updates, and thus failed to apply. When performing security updates, our policy is to apply them on top of the latest existing versions in RELEASE-security or RELEASE-updates, whichever is higher. I also adjusted the versioning. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for more information about our policies here.

3) I adjusted your changelog entry to include the CVE identifiers, a reference to this bug report, and direct URL references to the cherry-picked upstream patches to ease people researching the issue based on the changelog and debdiff.

Thanks!

Changed in clamav (Ubuntu Lucid):
status: Triaged → Fix Committed
Changed in clamav (Ubuntu Maverick):
status: Triaged → Fix Committed
Revision history for this message
Steve Beattie (sbeattie) wrote :

Also, it would be great if there are proof of concept documents for these issues that testcases based on them be added to the lp:qa-regression-testing tests for clamav.py (i.e. http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/annotate/head%3A/scripts/test-clamav.py )

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.96.3+dfsg-2ubuntu1.0.10.04.2

---------------
clamav (0.96.3+dfsg-2ubuntu1.0.10.04.2) lucid-security; urgency=low

  * SECURITY UPDATE: Backport security fixes from 0.96.5 (LP: #673654):
    - (simple port from Scott Kitterman's debdiff for natty)
    - libclamav/pdf.c: fix crashes
    - http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff_plain;h=019f1955194360600ecf0644959ceca6734c2d7b
    - CVE-2010-4260, CVE-2010-4479
    - libclamav/pe_icons.c: off by one
    - http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff_plain;h=1f3db7f074995bd4e1d0183b2db8b1c472d2f41b
    - CVE-2010-4261
 -- Serge Hallyn <email address hidden> Mon, 06 Dec 2010 15:50:03 +0000

Changed in clamav (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.96.3+dfsg-2ubuntu1.2

---------------
clamav (0.96.3+dfsg-2ubuntu1.2) maverick-security; urgency=low

  * SECURITY UPDATE: Backport security fixes from 0.96.5 (LP: #673654):
    - (simple port from Scott Kitterman's debdiff for natty)
    - libclamav/pdf.c: fix crashes
    - http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff_plain;h=019f1955194360600ecf0644959ceca6734c2d7b
    - CVE-2010-4260, CVE-2010-4479
    - libclamav/pe_icons.c: off by one
    - http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff_plain;h=1f3db7f074995bd4e1d0183b2db8b1c472d2f41b
    - CVE-2010-4261
 -- Serge Hallyn <email address hidden> Mon, 06 Dec 2010 08:19:13 -0600

Changed in clamav (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.