Date: Sun, 3 May 2015 18:24:34 +0200 From: Sebastian Andrzej Siewior <cve-announce@...breakpoint.cc> To: oss-security@...ts.openwall.com Subject: CVE request - clamav - crashes on crafted upack packed file WinUPack / UPack  is a tool for compressing PE files. Clamav  is a virus scanning tool which is able to unpack such files during scanning. There are two issues: - There is a wrongly implemented range check. The size (of the memory) has been fed as (j * 4) into the macro. With this written as-is the compiler treats it as a "32 bit" operation and feeds the result into the macro. That means the "64 bit" cast (to catch 32bit overflows) can not be performed anymore. The result is a segfault. This has been fixed . - A missing range check while invoking cli_rebuildpe(). A crafted file may lead to reading more data from the file than memory has been allocated leading to a crash. This has been fixed . The two fixes are part of the 0.98.7 release. Both bugs have been discovered by AFL , american fuzzy lop.  http://www.woodmann.com/collaborative/tools/index.php/WinUPack_3.99_and_UPack_3.999  http://www.clamav.net/  https://github.com/vrtadmin/clamav-devel/commit/a18af359decd270f5088e80e2ee2866c62e0843e  https://github.com/vrtadmin/clamav-devel/commit/ed56f56c1f1529bda877ddd116ae7bc064667c73  http://lcamtuf.coredump.cx/afl/ Sebastian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ