Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 3 May 2015 18:24:34 +0200
From: Sebastian Andrzej Siewior <cve-announce@...breakpoint.cc>
To: oss-security@...ts.openwall.com
Subject: CVE request - clamav - crashes on crafted upack packed file

WinUPack / UPack [0] is a tool for compressing PE files. Clamav [1] is a virus
scanning tool which is able to unpack such files during scanning.

There are two issues:
- There is a wrongly implemented range check. The size (of the memory) has
  been fed as (j * 4) into the macro. With this written as-is the compiler
  treats it as a "32 bit" operation and feeds the result into the macro. That
  means the "64 bit" cast (to catch 32bit overflows) can not be performed
  anymore. The result is a segfault. This has been fixed [2].

- A missing range check while invoking cli_rebuildpe(). A crafted file may
  lead to reading more data from the file than memory has been allocated
  leading to a crash. This has been fixed [3].

The two fixes are part of the 0.98.7 release.
Both bugs have been discovered by AFL [4], american fuzzy lop.

[0] http://www.woodmann.com/collaborative/tools/index.php/WinUPack_3.99_and_UPack_3.999
[1] http://www.clamav.net/
[2] https://github.com/vrtadmin/clamav-devel/commit/a18af359decd270f5088e80e2ee2866c62e0843e
[3] https://github.com/vrtadmin/clamav-devel/commit/ed56f56c1f1529bda877ddd116ae7bc064667c73
[4] http://lcamtuf.coredump.cx/afl/

Sebastian

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ