Debian Bug report logs -
#247574
clamav changes file-permissions if .deb is scanned with --deb switch as root-user
Reported by: Don't reply <none@nowhere.no>
Date: Wed, 5 May 2004 20:33:07 UTC
Severity: critical
Tags: fixed-upstream, security, upstream
Found in version 0.70-4
Fixed in version clamav/0.71-1
Done: Stephen Gran <sgran@debian.org>
Bug is archived. No further changes may be made.
Forwarded to bugs@clamav.net
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#247574; Package clamav.
(full text, mbox, link).
Acknowledgement sent to Don't reply <none@nowhere.no>:
New Bug report received and forwarded. Copy sent to Stephen Gran <sgran@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: clamav
Version: 0.70-4
Severity: critical
Tags: security
Justification: breaks unrelated software
Using clamav like
clamscan -i -r --deb /
may result in changing multiple files to
permission 0700, which make other packages
unuseable. This only happens if .deb-files
(e.g. in /var/cache/apt) are scanned with the
--deb switch as root-user.
This may allow local (and probably
remote) DoS if clamscan is used as
av-scanner by the root-user.
This problem affects unstable/testing systems
using clamav on at least i386-architecture.
temp. workaround:
Don't use the --deb-switch or scan
files as non-root-user.
!!Use apt-get clean!! to delete
..deb files in cache.
Examples of affected packages if .deb is
on the system:
libc6
cpp-2.95
zope
mailman
openssl
xfree86-common
python2.1
tcsh
Example of changes:
changed: /lib/libBrokenLocale-2.2.5.so p(644:700)
changed: /lib/libanl-2.2.5.so p(644:700)
changed: /lib/libcrypt-2.2.5.so p(644:700)
changed: /lib/libdb1-2.2.5.so p(644:700)
changed: /lib/libdl-2.2.5.so p(644:700)
changed: /lib/libm-2.2.5.so p(644:700)
changed: /lib/libnsl-2.2.5.so p(644:700)
changed: /lib/libnss_compat-2.2.5.so p(644:700)
changed: /lib/libnss_dns-2.2.5.so p(644:700)
changed: /lib/libnss_files-2.2.5.so p(644:700)
changed: /lib/libnss_hesiod-2.2.5.so p(644:700)
changed: /lib/libnss_nis-2.2.5.so p(644:700)
changed: /lib/libnss_nisplus-2.2.5.so p(644:700)
changed: /lib/libresolv-2.2.5.so p(644:700)
changed: /lib/librt-2.2.5.so p(644:700)
changed: /lib/libutil-2.2.5.so p(644:700)
changed: /lib/libpthread-0.9.so p(644:700)
changed: /usr/bin/cpp-2.95 p(755:700)
changed: /usr/share/doc/zope/examples/ZopeTutorialExamples.zexp
changed: /usr/share/doc/zope/examples/Examples.zexp p(644:700)
changed: /usr/share/zoneinfo/Europe/Vienna p(644:700)
changed: /usr/lib/cgi-bin/mailman p(755:700)
changed: /usr/lib/mailman/Mailman p(755:700)
changed: /usr/lib/mailman/bin p(755:700)
changed: /usr/lib/mailman/cron p(755:700)
changed: /usr/lib/mailman/filters p(755:700)
changed: /usr/lib/mailman/mail p(755:700)
changed: /usr/lib/mailman/scripts p(755:700)
changed: /etc/ssl/openssl.cnf p(644:700)
changed: /etc/X11/rgb.txt p(644:700)
changed: /etc/X11/xkb p(755:700)
changed: /etc/python2.1/site.py p(644:700)
changed: /etc/mailman p(755:700)
changed: /etc/mailman/mm_cfg.py p(644:700)
changed: /bin/tcsh p(755:700)
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386
Locale: LANG=C, LC_CTYPE=C
Versions of packages clamav depends on:
ii clamav-base 0.70-4 Base package for clamav, an anti-v
ii clamav-freshclam [clamav-da 0.70-4 Downloads clamav virus databases f
ii libc6 2.3.2.ds1-12 GNU C Library: Shared libraries an
ii libclamav1 0.70-4 Virus scanner library
ii zlib1g 1:1.2.1-5 compression library - runtime
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#247574; Package clamav.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 247574@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 247574 +upstream
forwarded 247574 bugs@clamav.net
thanks
This one time, at band camp, Don't reply said:
> Using clamav like
> clamscan -i -r --deb /
> may result in changing multiple files to
> permission 0700, which make other packages
> unuseable. This only happens if .deb-files
> (e.g. in /var/cache/apt) are scanned with the
> --deb switch as root-user.
>
> This may allow local (and probably
> remote) DoS if clamscan is used as
> av-scanner by the root-user.
>
> This problem affects unstable/testing systems
> using clamav on at least i386-architecture.
>
> temp. workaround:
> Don't use the --deb-switch or scan
> files as non-root-user.
> !!Use apt-get clean!! to delete
> ..deb files in cache.
Noted an dforwarded upstream. This has already been sent upstream
before, and I am waiting for a response. If I have not heard back in
some reasonable amount of time, I will upload with the relevant code
commented out.
Thanks for reporting,
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[Message part 2 (application/pgp-signature, inline)]
Tags added: upstream
Request was from Stephen Gran <sgran@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Noted your statement that Bug has been forwarded to bugs@clamav.net.
Request was from Stephen Gran <sgran@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#247574; Package clamav.
(full text, mbox, link).
Acknowledgement sent to Don't reply <none@nowhere.no>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>.
(full text, mbox, link).
Message #19 received at 247574@bugs.debian.org (full text, mbox, reply):
Looks like the problem has been fixed in current cvs on clamav.net
Tags added: fixed-upstream
Request was from Stephen Gran <sgran@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: pending
Request was from Stephen Gran <sgran@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Stephen Gran <sgran@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Don't reply <none@nowhere.no>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #28 received at 247574-close@bugs.debian.org (full text, mbox, reply):
Source: clamav
Source-Version: 0.71-1
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:
clamav-base_0.71-1_all.deb
to pool/main/c/clamav/clamav-base_0.71-1_all.deb
clamav-daemon_0.71-1_i386.deb
to pool/main/c/clamav/clamav-daemon_0.71-1_i386.deb
clamav-freshclam_0.71-1_i386.deb
to pool/main/c/clamav/clamav-freshclam_0.71-1_i386.deb
clamav-milter_0.71-1_i386.deb
to pool/main/c/clamav/clamav-milter_0.71-1_i386.deb
clamav-testfiles_0.71-1_all.deb
to pool/main/c/clamav/clamav-testfiles_0.71-1_all.deb
clamav_0.71-1.diff.gz
to pool/main/c/clamav/clamav_0.71-1.diff.gz
clamav_0.71-1.dsc
to pool/main/c/clamav/clamav_0.71-1.dsc
clamav_0.71-1_i386.deb
to pool/main/c/clamav/clamav_0.71-1_i386.deb
clamav_0.71.orig.tar.gz
to pool/main/c/clamav/clamav_0.71.orig.tar.gz
libclamav1-dev_0.71-1_i386.deb
to pool/main/c/clamav/libclamav1-dev_0.71-1_i386.deb
libclamav1_0.71-1_i386.deb
to pool/main/c/clamav/libclamav1_0.71-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 247574@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 20 May 2004 22:23:12 -0400
Source: clamav
Binary: clamav clamav-milter libclamav1-dev clamav-base clamav-freshclam clamav-testfiles clamav-daemon libclamav1
Architecture: source i386 all
Version: 0.71-1
Distribution: unstable
Urgency: low
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description:
clamav - Antivirus scanner for Unix
clamav-base - Base package for clamav, an anti-virus utility for Unix
clamav-daemon - Powerful Antivirus scanner daemon
clamav-freshclam - Downloads clamav virus databases from the Internet
clamav-milter - Fast antivirus scanner for sendmail
clamav-testfiles - Use these files to test that your Antivirus program works
libclamav1 - Virus scanner library
libclamav1-dev - Clam Antivirus library development files
Closes: 209087 236098 238915 239217 245230 245240 247574 247815 248419
Changes:
clamav (0.71-1) unstable; urgency=low
.
* New upstream version
- clamav-milter now uses --pidfile, so can fix init script to use -p
- clamscan no longer follows symlinks on archive scanning
(closes: #247574)
- Can scan msexpand files (closes: #245240)
* Change group for logfiles to adm.
* Fix error in md5sum comparison in clamav-freshclam.config
(closes: #247815)
* clamd no longer runs as root - see NEWS.Debian for more information
(closes: #248419)
* Manually change pid file for clamav-daemon to /var/run/clamav/clamd.pid -
no breakage should occur, and this will assist people with new change to
running as unpriviledged user (closes: #238915)
* Add contrib directory to clamav - this package is getting overloaded now,
I think
* Finally get around to including joey's clampipe (closes: #209087)
* Forgot to close this earlier, but it has built just fine on woody for some
time (closes: #236098)
* Manually deal with permissions on /etc/network and /etc/ppp files in
postinst - I still see some installs without -x bit set
* Add multiple interface handling for freshclam and ifup/down method
(closes: #239217, #245230)
Files:
afa7c8fc2c0191eb0c42b62e5d42fe2d 821 utils optional clamav_0.71-1.dsc
096cffd2633cbac5a14b7080b6f67a67 2607615 utils optional clamav_0.71.orig.tar.gz
bcfed43fff4102dc2155430b2016dc6c 431775 utils optional clamav_0.71-1.diff.gz
20b51c42d7db2c6f6198c5e0775b3b9a 55440 utils optional clamav-base_0.71-1_all.deb
71b43047181bc1a6aeac518f3da62a9f 55574 utils optional clamav-testfiles_0.71-1_all.deb
91e925afe68c50f9aabf5ebcec406067 116752 libs optional libclamav1_0.71-1_i386.deb
808e51f9e1c613105518b092d76604fd 846096 utils optional clamav_0.71-1_i386.deb
efa2b5126da58f7b8eebee13e57d5fa7 108684 utils optional clamav-daemon_0.71-1_i386.deb
858ce2606a2ba651afa271799cf6eece 1173192 utils optional clamav-freshclam_0.71-1_i386.deb
ff1e1cf8470854f96c3b22aaa94b8521 88694 utils extra clamav-milter_0.71-1_i386.deb
148edb4fbbc14605bd788b4dcfd3507a 127862 libdevel optional libclamav1-dev_0.71-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFArXTXSYIMHOpZA44RAjGqAKCVm/PJH3woN00TGitbi8m8DAn0XACeIr4V
B2704nhSEB5IZPfdcHy2UwY=
=D8rW
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 1 17:56:32 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.