ClamAV Upack Processing Buffer Overflow Vulnerability

Bug #217256 reported by stiV on 2008-04-14
282
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Medium
Unassigned
Dapper
Undecided
Scott Kitterman
Edgy
Undecided
Unassigned
Feisty
Medium
Unassigned
Gutsy
Undecided
Unassigned

Bug Description

Binary package hint: clamav

see http://secunia.com/secunia_research/2008-11/advisory/

there is no fix available, but should be soon.

"Secunia Research has discovered a vulnerability in ClamAV, which can
be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"cli_scanpe()" function in libclamav/pe.c. This can be exploited to
cause a heap-based buffer overflow via a specially crafted "Upack"
executable.

Successful exploitation allows execution of arbitrary code."

Scott Kitterman (kitterman) wrote :

A fix for this is uploaded to Debian and I've asked to have it sync'ed for Hardy. We'll also get updates done for the earlier releases as needed.

Changed in clamav:
status: New → Fix Committed
Scott Kitterman (kitterman) wrote :

Sync'ed for Hardy. More issues than just the one initially described:

 clamav (0.92.1~dfsg2-1) unstable; urgency=high
 .
   * libclamav/pe.c: possible integer overflow in wwpack
   * [CVE-2008-1100]: libclamav/pe.c: possible integer overflow in upack
   * [CVE-2008-1387]: libclamav/spin.c: possible integer overflow
   * libclamav/unarj.c: DoS in unarj

Changed in clamav:
importance: Undecided → Medium
status: Fix Committed → Fix Released
assignee: nobody → kitterman
status: New → In Progress
Scott Kitterman (kitterman) wrote :

Dapper is definitely affected, need to look at Edgy/Fiesty/Gutsy.

Scott Kitterman (kitterman) wrote :

First I'm having the Hardy package put in dapper-backports, see Bug #219031. Then we'll either patch the Dapper package or copy the new package into dapper-updates.

Scott Kitterman (kitterman) wrote :

Uploaded to dapper-backports.

Scott Kitterman (kitterman) wrote :

Full dapper-updates/dapper-backports debdiff attached. This would bring Dapper up to match Hardy. Note that the entire non-security difference between the versions (the non-security related changes from upstream's 0.92.1) has been running in Hardy since 2008-03-10 without issue.

Scott Kitterman (kitterman) wrote :

It turns out the changes in 0.92.1~dfsg2-1 were not complete for CVE 2008-1833. 0.92.1~dfsg2-1.1 in hardy and dapper-backports fixes that. Updates are in ubuntu-clamav PPA too.

Scott Kitterman (kitterman) wrote :

Won't Fix for Edgy due to Edgy end of life.

Changed in clamav:
status: New → Won't Fix
Jamie Strandboge (jdstrand) wrote :

I took a quick look at the dapper-updates to dapper-backports debdiff, and while I haven't tested the dapper-backports release, it seems like a good idea to update dapper to this release as there are a number of security fixes and reliability fixes, and the other updates seemed fairly small. clamav is difficult to maintain in general, and if both LTS releases use the same codebase, that would greatly help maintaining clamav in the long run.

Yes. I think it's the best course. We have 0.92.1 in Hardy and all the
backports repositories. Given 0.92 to 0.92.1 caused no problems in Hardy I
think it's very low risk.

I'd like to pursue a similar course for Feisty and Gutsy, although the diff
there is rather larger. It is still much less than updating Dapper was
(the original 0.88.2 to 0.92 jump) and that went pretty smoothly.

Scott Kitterman (kitterman) wrote :

Fixed package copied from dapper-backports to dapper-updates.

Changed in clamav:
status: In Progress → Fix Released

Is Ubuntu's clamav also affected by CVE-2008-0314 (DSA 1549-1 [http://www.debian.org/security/2008/dsa-1549])?

Scott Kitterman (kitterman) wrote :

Read the DSA. Look at the version it's fixed in in Debian Unstable. Look what versions we have.

I did that. (According to Launchpad) clamav in dapper-security is at version 0.92~dfsg-2~dapper1ubuntu0.2, in dapper-updates it's at 0.92.1~dfsg2-1.1~dapper1, DSA 1549-1 is about 0.92.1~dfsg2-1 for Sid. But since CVE-2008-0314 isn't mentioned in the (Ubuntu) changelogs, I'd dared to asked that question just to make sure that nothing slipped through.

Scott Kitterman (kitterman) wrote :

Currently it's fixed in Hardy/Intrepid in the regular release pocket.

For Feisty/Gutsy it's fixed in -backports, but not yet in -security.

For Dapper it's fixed in -updates, but not yet in -security.

Work is in progress to get all that resolved.

Scott Kitterman (kitterman) wrote :

Fiesty/Gutsy backports copied to -updates, so fixed in all releases.

Changed in clamav:
importance: Undecided → Medium
status: New → Fix Released
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers