Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Apr 2013 18:58:43 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, Jan Lieskovsky <jlieskov@...hat.com>,
        Felix Groebert <groebert@...gle.com>,
        "Steven M. Christey" <coley@...us.mitre.org>, draynor@...rcefire.com
Subject: Re: Multiple potential security issues fixed in ClamAV
 0.97.8 - any further details?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2013 07:49 AM, Henri Salo wrote:
> On Wed, Apr 24, 2013 at 07:59:04AM -0400, Jan Lieskovsky wrote:
>> Hello Felix,
>> 
>> this is due the ClamAV 0.97.8 release: [1]
>> http://blog.clamav.net/2013/04/clamav-0978-has-been-released.html
>>
>> 
[2] https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog
>> [3] https://bugzilla.redhat.com/show_bug.cgi?id=956176 [4]
>> https://bugzilla.novell.com/show_bug.cgi?id=816865
>> 
>> Could you clarify how many and what kind of possible security
>> issues has been corrected within this release? (so we would know
>> how many CVE identifiers should be allocated to these)
>> 
>> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
>> Security Response Team
> 
> Information from Joel Esler. No CVEs assigned yet.

Well since no-one seems to be willing to answer/help on this =(

> commit 270e368b99e93aa5447d46c797c92c3f9f39f375

libclamav/pe.c
- -               if(upxfn(src, ssize, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)
- -                   upx_success = 1;
- -
- -           } else {
+           }
+           else if(skew > ssize) {
+               /* Ignore suggested skew larger than section size */
+               cli_dbgmsg("UPX: Ignoring bad skew of %d bytes\n", skew);
+               skew = 0;
+           }
+           else {
                cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew);
- -               if(upxfn(src + skew, ssize - skew, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 ||
upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i +
1].rva, v
- -                   upx_success = 1;
+           }
+
+           if(upxfn(src + skew, ssize - skew, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 ||
upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i +
1].rva, vep)
+               upx_success = 1;
+           }
+           else if(skew && (upxfn(src, ssize, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)) {
+               upx_success = 1;

Seems like a pretty classic buffer overflow.

> commit 24ff855c82d3f5c62bc5788a5776cefbffce2971

libclamav/pdf.c
@@ -1262,7 +1269,7 @@ static void check_user_password(struct
pdf_struct *pdf, int R, const char *O,
- -    } else {
+    } else if ((R >= 2) && (R <= 4)) {

+       if (length > 128)
+           length = 128;
        if (R >= 3) {
- -           if (length > 128)
- -               length = 128;

+    else {
+       /* Supported R is in {2,3,4,5} */
+       cli_dbgmsg("cli_pdf: R value out of range\n");
+       return;
+    }

+       if ((R > 5) || (R < 2)) {
+           cli_dbgmsg("cli_pdf: R value outside supported range
[2..5]\n");
+           break;
+       }

Seems like a pretty classic logic error.


> commit c6870a6c857dd722dffaf6d37ae52ec259d12492

libclamav/sis.c
@@ -193,7 +193,7 @@ static char *getsistring(FILE *f, uint32_t ptr,
uint32_t len) {
- -  name = cli_malloc(len);
+  name = cli_malloc(len+1);

Seems like a classic off by one.

> commit 3cbd8b5668bd0f262a8c00b1fd57eb03c117b00a

libclamav/pe_icons.c
    libclamav/pe_icons.c: introduce LOGPARSEICONDETAILS define to
reduce parseicon logging in default build

how is this security related?

> --- Henri Salo

Are there maybe some more commits covering these (the last one has me
stumped).



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJReH/DAAoJEBYNRVNeJnmT5kgQALUa7Oe+T0PYxIWcM+ICRaZ8
7d196rwux93+YBd/wwxdjkW3Ad6mMl4cGg6Rfr1QX2MQhKMDySmNA0ETYr8kpC/t
xk+yTRaRo5iQjVUtHekbeviYRSw+jpKj1oXvlvWJWmEESyb44WH4JSG29svF0iuo
41J/2efMah67L2F3tnmzKGqymFlry6XOGriPwZVb7Sr/mfXlQOTbvmPZudXS7Dfj
s2R5SK1rZmpbseKdLVsBZH3ZfIXnxKvXZuLAM4caZqs7dAeortjdXD8npSjH4nQC
aAqaPfiOp1KxYz4jX31WW3BqTukfOXw1KCa4h5ITm5YuRKwIIf524Lr+R8KskqVY
cA7igoqieGfx/gaugc7cH90MdQ196ADc+IZIR1+h9g2XgSVgHEwnCBfFmzRpemJA
EHylIZGDkxghBgLwkGpga7IqQKcvECuzeVAwtyrgAxxkNYaoIjezIolTcOlDt3+m
Jk45snLVdqyeof1OU/O0lhIblEE/NmeYHez8tIUgn+XN79vJL7mEK4u37bWVLLSu
wcPKss2yhNuI/Wqr3yCkSxeFG7kdCxWiBWCuQtNFCsec/YGPqLm+Rxni/MjhRHSW
25o6aqShJCEcp+jwiY5JrT15+FA1j8DRNSRR47uehlhu5wFtYdxAQxPcSAkvHvuN
s0e1io+rmH3BHyxbTq61
=Vjcd
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.