Debian Bug report logs - #328660
clamav: clamav 0.87 fixes vulnerabilities in handling of UPX and FSG compressed executables

version graph

Package: clamav; Maintainer for clamav is ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>; Source for clamav is src:clamav.

Reported by: Martin Zobel-Helas <zobel@ftbfs.de>

Date: Fri, 16 Sep 2005 16:33:05 UTC

Severity: serious

Tags: security

Merged with 329280

Found in versions clamav/0.84-2, clamav/0.84-2.sarge.2

Fixed in version clamav/0.87-1

Done: Stephen Gran <sgran@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Stephen Gran <sgran@debian.org>:
Bug#328660; Package clamav. Full text and rfc822 format available.

Acknowledgement sent to Martin Zobel-Helas <zobel@ftbfs.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Stephen Gran <sgran@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Zobel-Helas <zobel@ftbfs.de>
To: submit@bugs.debian.org
Subject: clamav: clamav 0.87 fixes vulnerabilities in handling of UPX and FSG compressed executables
Date: Fri, 16 Sep 2005 18:19:04 +0200
Package: clamav
Version: 0.84-2.sarge.2
Severity: serious
Tags: security

Hi,

the new version 0.87 of clamav fixes vulnerabilities in handling of UPX
and FSG compressed executables.

From upstreams Changelog:
  * Changes backported from CVS:                                                                                                                                                                                            
    - libclamav/upx.c: fix possible buffer overflow (acab)                                                                                                                                                                  
    - libclamav/fsg.c: fix possible infinite loop (acab)                                                                                                                                                                    


For sarge the following patches are the one to fix it:

--- clamav-0.84/libclamav/fsg.c 2005-09-16 17:54:11.121701163 +0200
+++ clamav-0.87/libclamav/fsg.c 2005-09-16 00:49:04.000000000 +0200
@@ -235,7 +235,7 @@
     for (i = 0; i < sectcount  ; i++) {
       uint32_t trva,trsz,traw;
       
-      if ( sections[i].rva < sections[i+1].rva )
+      if ( sections[i].rva <= sections[i+1].rva )
        continue;
       trva = sections[i].rva;
       traw = sections[i].raw;


and:

--- clamav-0.84/libclamav/upx.c 2005-04-27 23:53:57.000000000 +0200
+++ clamav-0.87/libclamav/upx.c 2005-09-16 00:53:54.000000000 +0200
@@ -117,7 +117,7 @@
   }
   
   sections = pehdr+0xf8;
-  if ( ! (sectcnt = pehdr[6]+256*pehdr[7])) {
+  if ( ! (sectcnt = (unsigned char)pehdr[6]+256*(unsigned char)pehdr[7])) {
     cli_dbgmsg("UPX: No sections? - giving up rebuild\n");
     return 0;
   }


Greetings
Martin



Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#328660; Package clamav. Full text and rfc822 format available.

Acknowledgement sent to Martin Zobel-Helas <zobel@ftbfs.de>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>. Full text and rfc822 format available.

Message #10 received at 328660@bugs.debian.org (full text, mbox):

From: Martin Zobel-Helas <zobel@ftbfs.de>
To: 328660@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#328660: Acknowledgement (clamav: clamav 0.87 fixes vulnerabilities in handling of UPX and FSG compressed executables)
Date: Fri, 16 Sep 2005 22:19:15 +0200
Hi,

here come the CAN numbers:

CAN-2005-2920 for libclamav/upx.c overflow,
CAN-2005-2919 for the fsg.c infinite loop.


Greetings
Martin




Reply sent to Stephen Gran <sgran@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Zobel-Helas <zobel@ftbfs.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 328660-close@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: 328660-close@bugs.debian.org
Subject: Bug#328660: fixed in clamav 0.87-1
Date: Mon, 19 Sep 2005 02:17:05 -0700
Source: clamav
Source-Version: 0.87-1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:

clamav-base_0.87-1_all.deb
  to pool/main/c/clamav/clamav-base_0.87-1_all.deb
clamav-daemon_0.87-1_i386.deb
  to pool/main/c/clamav/clamav-daemon_0.87-1_i386.deb
clamav-docs_0.87-1_all.deb
  to pool/main/c/clamav/clamav-docs_0.87-1_all.deb
clamav-freshclam_0.87-1_i386.deb
  to pool/main/c/clamav/clamav-freshclam_0.87-1_i386.deb
clamav-milter_0.87-1_i386.deb
  to pool/main/c/clamav/clamav-milter_0.87-1_i386.deb
clamav-testfiles_0.87-1_all.deb
  to pool/main/c/clamav/clamav-testfiles_0.87-1_all.deb
clamav_0.87-1.diff.gz
  to pool/main/c/clamav/clamav_0.87-1.diff.gz
clamav_0.87-1.dsc
  to pool/main/c/clamav/clamav_0.87-1.dsc
clamav_0.87-1_i386.deb
  to pool/main/c/clamav/clamav_0.87-1_i386.deb
clamav_0.87.orig.tar.gz
  to pool/main/c/clamav/clamav_0.87.orig.tar.gz
libclamav-dev_0.87-1_i386.deb
  to pool/main/c/clamav/libclamav-dev_0.87-1_i386.deb
libclamav1_0.87-1_i386.deb
  to pool/main/c/clamav/libclamav1_0.87-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 328660@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 19 Sep 2005 09:05:59 +0100
Source: clamav
Binary: clamav libclamav-dev clamav-milter clamav-base clamav-freshclam clamav-testfiles clamav-daemon libclamav1 clamav-docs
Architecture: source all i386
Version: 0.87-1
Distribution: unstable
Urgency: low
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description: 
 clamav     - antivirus scanner for Unix
 clamav-base - base package for clamav, an anti-virus utility for Unix
 clamav-daemon - antivirus scanner daemon
 clamav-docs - documentation package for clamav, an anti-virus utility for Unix
 clamav-freshclam - downloads clamav virus databases from the Internet
 clamav-milter - antivirus scanner for sendmail
 clamav-testfiles - use these files to test that your Antivirus program works
 libclamav-dev - clam Antivirus library development files
 libclamav1 - virus scanner library
Closes: 323132 327707 328660 328912
Changes: 
 clamav (0.87-1) unstable; urgency=low
 .
   * New upstream version
     - Fixes CAN-2005-2920 and CAN-2005-2919 (closes: #328660)
   * New logcheck line for clamav-daemon (closes: #323132)
   * relibtoolize and apply kfreebsd patch (closes: #327707)
   * Make sure init.d script starts freshclam up again after upgrade when run
     from if-up.d (closes: #328912)
Files: 
 bc515e68678ef78d2c3afa6ad22553b9 856 utils optional clamav_0.87-1.dsc
 dd0a12deb4f48f760fa1fcd378ae7c24 4273714 utils optional clamav_0.87.orig.tar.gz
 c8e10ef746f899a31c9ba2fe7e728ad4 436103 utils optional clamav_0.87-1.diff.gz
 c2f28fa8147d6e7d3d06c4ebdb5b991f 165946 utils optional clamav-base_0.87-1_all.deb
 b18dad7bf28e26402bc6351e82e34a6d 127042 utils optional clamav-testfiles_0.87-1_all.deb
 b1e154159023ec8df26715876811c0c1 700912 utils optional clamav-docs_0.87-1_all.deb
 cd28ea342935980b1c831514cc22de5f 257544 libs optional libclamav1_0.87-1_i386.deb
 b8369ee994288cad832bca12d4f3678e 65466 utils optional clamav_0.87-1_i386.deb
 6c1a482bacadac83361e5eb5452d8598 38438 utils optional clamav-daemon_0.87-1_i386.deb
 abb17503318912c8b9091d7e56028adf 2680392 utils optional clamav-freshclam_0.87-1_i386.deb
 7bf54d69cde3d098e26582b2d7be39ae 37834 utils extra clamav-milter_0.87-1_i386.deb
 c69be053d2b36596f5c8c0a98faaceff 158926 libdevel optional libclamav-dev_0.87-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDLnn4SYIMHOpZA44RApD4AJ9uYILelq7f0ip8PmoRPETGVW6pAACfZVMq
JJs6i1e+DEvSY6PU8hm4CYs=
=RrzI
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#328660; Package clamav. Full text and rfc822 format available.

Acknowledgement sent to Johan Thelmén <jth@home.se>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>. Full text and rfc822 format available.

Message #20 received at 328660@bugs.debian.org (full text, mbox):

From: Johan Thelmén <jth@home.se>
To: 328660@bugs.debian.org
Subject: Urgency low..
Date: Mon, 19 Sep 2005 12:35:53 +0200
Changes:
 clamav (0.87-1) unstable; urgency=low

   * New upstream version
     - Fixes CAN-2005-2920 and CAN-2005-2919 (closes: #328660)

I can not find any policy about it but I think it should be urgency high or
atleast medium. This for building faster (if used) and faster moving in to
testing. Two weeks for a remote security fix is not that good when the fix is known.

Please think about it next time.

-- 
Johan Thelmén
Sweden Falun



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#328660; Package clamav. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #25 received at 328660@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Johan Thelmén <jth@home.se>, 328660@bugs.debian.org
Subject: Re: Bug#328660: Urgency low..
Date: Mon, 19 Sep 2005 12:47:07 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Johan Thelmén said:
> 
> Changes:
>  clamav (0.87-1) unstable; urgency=low
> 
>    * New upstream version
>      - Fixes CAN-2005-2920 and CAN-2005-2919 (closes: #328660)
> 
> I can not find any policy about it but I think it should be urgency high or
> atleast medium. This for building faster (if used) and faster moving in to
> testing. Two weeks for a remote security fix is not that good when the fix is known.
> 
> Please think about it next time.

Dammit.  You are absolutely correct.  I missed that before upload -
entirely my fault.  I'll contact the release tema and see if they can
bump the priority.

Thanks for noticing,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#328660; Package clamav. Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>. Full text and rfc822 format available.

Message #30 received at 328660@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: Stephen Gran <sgran@debian.org>, 328660@bugs.debian.org
Cc: Johan Thelmén <jth@home.se>
Subject: Re: Bug#328660: Urgency low..
Date: Mon, 19 Sep 2005 14:04:03 +0200
* Stephen Gran (sgran@debian.org) [050919 14:03]:
> This one time, at band camp, Johan Thelmén said:
> > 
> > Changes:
> >  clamav (0.87-1) unstable; urgency=low
> > 
> >    * New upstream version
> >      - Fixes CAN-2005-2920 and CAN-2005-2919 (closes: #328660)
> > 
> > I can not find any policy about it but I think it should be urgency high or
> > atleast medium. This for building faster (if used) and faster moving in to
> > testing. Two weeks for a remote security fix is not that good when the fix is known.
> > 
> > Please think about it next time.
> 
> Dammit.  You are absolutely correct.  I missed that before upload -
> entirely my fault.  I'll contact the release tema and see if they can
> bump the priority.

Bumped.

Cheers,
Andi



Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#328660; Package clamav. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>. Full text and rfc822 format available.

Message #35 received at 328660@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Stephen Gran <sgran@debian.org>, 328660@bugs.debian.org
Cc: Johan Thelmén <jth@home.se>
Subject: Re: Bug#328660: Urgency low..
Date: Mon, 19 Sep 2005 05:07:56 -0700
[Message part 1 (text/plain, inline)]
On Mon, Sep 19, 2005 at 12:47:07PM +0100, Stephen Gran wrote:

> > Changes:
> >  clamav (0.87-1) unstable; urgency=low

> >    * New upstream version
> >      - Fixes CAN-2005-2920 and CAN-2005-2919 (closes: #328660)

> > I can not find any policy about it but I think it should be urgency high or
> > atleast medium. This for building faster (if used) and faster moving in to
> > testing. Two weeks for a remote security fix is not that good when the fix is known.

> > Please think about it next time.

> Dammit.  You are absolutely correct.  I missed that before upload -
> entirely my fault.  I'll contact the release tema and see if they can
> bump the priority.

Not meaningfully; the update is held out of testing by the gmp ABI
transition.

Also, upload priorities are sticky for testing purposes, and 0.87-1 will
inherit the high-urgency propagation delay of your previous upload.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Merged 328660 329280. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 02:25:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:42:21 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.