Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Apr 2013 18:58:43 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, Jan Lieskovsky <jlieskov@...hat.com>,
        Felix Groebert <groebert@...gle.com>,
        "Steven M. Christey" <coley@...us.mitre.org>, draynor@...rcefire.com
Subject: Re: Multiple potential security issues fixed in ClamAV
 0.97.8 - any further details?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2013 07:49 AM, Henri Salo wrote:
> On Wed, Apr 24, 2013 at 07:59:04AM -0400, Jan Lieskovsky wrote:
>> Hello Felix,
>> 
>> this is due the ClamAV 0.97.8 release: [1]
>> http://blog.clamav.net/2013/04/clamav-0978-has-been-released.html
>>
>> 
[2] https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog
>> [3] https://bugzilla.redhat.com/show_bug.cgi?id=956176 [4]
>> https://bugzilla.novell.com/show_bug.cgi?id=816865
>> 
>> Could you clarify how many and what kind of possible security
>> issues has been corrected within this release? (so we would know
>> how many CVE identifiers should be allocated to these)
>> 
>> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
>> Security Response Team
> 
> Information from Joel Esler. No CVEs assigned yet.

Well since no-one seems to be willing to answer/help on this =(

> commit 270e368b99e93aa5447d46c797c92c3f9f39f375

libclamav/pe.c
- -               if(upxfn(src, ssize, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)
- -                   upx_success = 1;
- -
- -           } else {
+           }
+           else if(skew > ssize) {
+               /* Ignore suggested skew larger than section size */
+               cli_dbgmsg("UPX: Ignoring bad skew of %d bytes\n", skew);
+               skew = 0;
+           }
+           else {
                cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew);
- -               if(upxfn(src + skew, ssize - skew, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 ||
upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i +
1].rva, v
- -                   upx_success = 1;
+           }
+
+           if(upxfn(src + skew, ssize - skew, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 ||
upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i +
1].rva, vep)
+               upx_success = 1;
+           }
+           else if(skew && (upxfn(src, ssize, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)) {
+               upx_success = 1;

Seems like a pretty classic buffer overflow.

> commit 24ff855c82d3f5c62bc5788a5776cefbffce2971

libclamav/pdf.c
@@ -1262,7 +1269,7 @@ static void check_user_password(struct
pdf_struct *pdf, int R, const char *O,
- -    } else {
+    } else if ((R >= 2) && (R <= 4)) {

+       if (length > 128)
+           length = 128;
        if (R >= 3) {
- -           if (length > 128)
- -               length = 128;

+    else {
+       /* Supported R is in {2,3,4,5} */
+       cli_dbgmsg("cli_pdf: R value out of range\n");
+       return;
+    }

+       if ((R > 5) || (R < 2)) {
+           cli_dbgmsg("cli_pdf: R value outside supported range
[2..5]\n");
+           break;
+       }

Seems like a pretty classic logic error.


> commit c6870a6c857dd722dffaf6d37ae52ec259d12492

libclamav/sis.c
@@ -193,7 +193,7 @@ static char *getsistring(FILE *f, uint32_t ptr,
uint32_t len) {
- -  name = cli_malloc(len);
+  name = cli_malloc(len+1);

Seems like a classic off by one.

> commit 3cbd8b5668bd0f262a8c00b1fd57eb03c117b00a

libclamav/pe_icons.c
    libclamav/pe_icons.c: introduce LOGPARSEICONDETAILS define to
reduce parseicon logging in default build

how is this security related?

> --- Henri Salo

Are there maybe some more commits covering these (the last one has me
stumped).



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJReH/DAAoJEBYNRVNeJnmT5kgQALUa7Oe+T0PYxIWcM+ICRaZ8
7d196rwux93+YBd/wwxdjkW3Ad6mMl4cGg6Rfr1QX2MQhKMDySmNA0ETYr8kpC/t
xk+yTRaRo5iQjVUtHekbeviYRSw+jpKj1oXvlvWJWmEESyb44WH4JSG29svF0iuo
41J/2efMah67L2F3tnmzKGqymFlry6XOGriPwZVb7Sr/mfXlQOTbvmPZudXS7Dfj
s2R5SK1rZmpbseKdLVsBZH3ZfIXnxKvXZuLAM4caZqs7dAeortjdXD8npSjH4nQC
aAqaPfiOp1KxYz4jX31WW3BqTukfOXw1KCa4h5ITm5YuRKwIIf524Lr+R8KskqVY
cA7igoqieGfx/gaugc7cH90MdQ196ADc+IZIR1+h9g2XgSVgHEwnCBfFmzRpemJA
EHylIZGDkxghBgLwkGpga7IqQKcvECuzeVAwtyrgAxxkNYaoIjezIolTcOlDt3+m
Jk45snLVdqyeof1OU/O0lhIblEE/NmeYHez8tIUgn+XN79vJL7mEK4u37bWVLLSu
wcPKss2yhNuI/Wqr3yCkSxeFG7kdCxWiBWCuQtNFCsec/YGPqLm+Rxni/MjhRHSW
25o6aqShJCEcp+jwiY5JrT15+FA1j8DRNSRR47uehlhu5wFtYdxAQxPcSAkvHvuN
s0e1io+rmH3BHyxbTq61
=Vjcd
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ