Debian Bug report logs -
#333566
libclamav1: [CAN-2005-3239] OLE2 unpacker stack overflow
Reported by: Marcin Owsiany <marcin@owsiany.pl>
Date: Wed, 12 Oct 2005 17:48:05 UTC
Severity: important
Tags: security, upstream
Fixed in version clamav/0.87.1-1
Done: Stephen Gran <sgran@debian.org>
Bug is archived. No further changes may be made.
Forwarded to bugs@clamav.net
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#333566; Package clamav.
(full text, mbox, link).
Acknowledgement sent to Marcin Owsiany <marcin@owsiany.pl>:
New Bug report received and forwarded. Copy sent to Stephen Gran <sgran@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: clamav
Version: 0.87-1
Severity: important
Tags: security
I recently stumbled upon a (probably corrupted) DOC file, which caused
clamd (running with ArchiveMaxFiles 10000) to segfault, causing a DoS. After
specifying --max-files=100000 to clamscan, I could also get clamscan to
segfault.
Here is a backtrace I obtained:
#0 0xb7d993a7 in vfprintf () from /lib/tls/libc.so.6
#1 0xb7dbb4e1 in vsnprintf () from /lib/tls/libc.so.6
#2 0xb7e9e7ae in cli_dbgmsg (str=0xb7ee2090 "%34s ") at others.c:122
#3 0xb7ebb8f4 in print_property_name (pname=0xbf0238b0 "\001", size=18) at ole2_extract.c:186
#4 0xb7ebb961 in print_ole2_property (property=0xbf0238b0) at ole2_extract.c:197
#5 0xb7ebc87c in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d", prop_index=5,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0, limits=0x87a1e58) at ole2_extract.c:509
#6 0xb7ebca1b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d", prop_index=2,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0, limits=0x87a1e58) at ole2_extract.c:536
#7 0xb7ebca4b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d", prop_index=5,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0, limits=0x87a1e58) at ole2_extract.c:538
#8 0xb7ebca1b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d", prop_index=2,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0, limits=0x87a1e58) at ole2_extract.c:536
#9 0xb7ebca4b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d", prop_index=5,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0, limits=0x87a1e58) at ole2_extract.c:538
#10 0xb7ebca1b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d", prop_index=2,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0, limits=0x87a1e58) at ole2_extract.c:536
[...]
#13791 0xb7ebca1b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d",
prop_index=3, handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0, limits=0x87a1e58)
at ole2_extract.c:536
#13792 0xb7ebc9a1 in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d",
prop_index=0, handler=0xb7ebcc14 <handler_writefile>, rec_level=0, file_count=0xbf8222a0, limits=0x87a1e58)
at ole2_extract.c:523
#13793 0xb7ebd68c in cli_ole2_extract (fd=3, dirname=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d", limits=0x87a1e58)
at ole2_extract.c:826
#13794 0xb7ea7419 in cli_scanole2 (desc=3, virname=0xbf8226bc, scanned=0x80536fc, root=0x8054720, limits=0x87a1e58,
options=107, arec=1, mrec=0) at scanners.c:1142
#13795 0xb7ea802a in cli_magic_scandesc (desc=3, virname=0xbf8226bc, scanned=0x80536fc, root=0x8054720, limits=0x87a1e58,
options=107, arec=1, mrec=0) at scanners.c:1454
#13796 0xb7ea8421 in cl_scandesc (desc=3, virname=0xbf8226bc, scanned=0x80536fc, root=0x8054720, limits=0x87a1e58,
options=107) at scanners.c:1563
#13797 0x0804e6b4 in checkfile (filename=0x87aa018 "KOCH.DOC", root=0x8054720, limits=0x87a1e58, options=107, printclean=1)
at manager.c:764
#13798 0x0804d77b in scanfile (filename=0x87aa018 "KOCH.DOC", root=0x8054720, user=0x0, opt=0x8054008, limits=0x87a1e58,
options=107) at manager.c:436
---Type <return> to continue, or q <return> to quit---
#13799 0x0804cf5d in scanmanager (opt=0x8054008) at manager.c:263
#13800 0x0804b40b in clamscan (opt=0x8054008) at clamscan.c:159
#13801 0x0804bcf6 in main (argc=4, argv=0xbf822dd4) at options.c:177
I ran it under gdb, and apparently the problem is that the doc file's property
tree is not actually a tree:
Index Property Prev Next Child
------------------------------------------
0 RootEntry -1 -1 3
3 SummaryInformation 2 4 -1
2 WordDocument 5 -1 -1
5 CompObj 0 2 1083217721
This makes ole2_walk_property_tree bounce between properties 2 5 and 0, until
either MaxFiles limit is reached, or (apparently) stack is overflowed.
I do not yet have the authorization to forward the doc file in question to you,
but I guess any file with such property graph will do.
This segfault occured after 13k+ calls, but the clamd on which I discovered the
problem segfaulted with only about 3500+ calls (I have a strace, but it
contains data I am not authorized to forward). I think the difference can be
explained by different system (sid vs sarge), kernel version and program (clamd
vs clamscan).
I guess the problem can be solved in several ways:
- changing ole2_walk_property_tree to an iterative implementation
- keeping a cache of already visited nodes and short-circuiting on second visit
Either way, a warning should be put in the documentation on any recursive
unpacking algorithm in clamav, so one can choose a saner maxfiles limit.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2)
Versions of packages clamav depends on:
ii clamav-freshclam [clamav-data 0.87-1 downloads clamav virus databases f
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libclamav1 0.87-1 virus scanner library
ii zlib1g 1:1.2.3-4 compression library - runtime
Versions of packages clamav recommends:
pn arj <none> (no description available)
pn unzoo <none> (no description available)
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#333566; Package clamav.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 333566@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 333566 +upstream
forwarded 333566 bugs@clamav.net
thanks
This one time, at band camp, Marcin Owsiany said:
> I recently stumbled upon a (probably corrupted) DOC file, which caused
> clamd (running with ArchiveMaxFiles 10000) to segfault, causing a DoS. After
> specifying --max-files=100000 to clamscan, I could also get clamscan to
> segfault.
Ouch. Thanks for the debugging. I am forwarding this upstream, so they
can take a look at it, and hopefully get a fix out. Your ideas seem
reasonable, but I'll run it by them first.
Clam team - can you take a look at debian bug 333566, viewable at
http://bugs.debian.org/333566 for the full debug info?
Thanks all,
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]
Tags added: upstream
Request was from Stephen Gran <sgran@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Noted your statement that Bug has been forwarded to bugs@clamav.net.
Request was from Stephen Gran <sgran@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#333566; Package clamav.
(full text, mbox, link).
Acknowledgement sent to Marcin Owsiany <porridge@mailin1.expro.pl>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>.
(full text, mbox, link).
Message #19 received at 333566@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Finally, here's the aforementioned doc file itself.
Marcin
[KOCH.DOC (application/msword, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#333566; Package clamav.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #24 received at 333566@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 333566 libclamav1: [CAN-2005-3239] OLE2 unpacker stack overflow
reassign 333566 libclamav1
thanks
Just noting the assigned number in the bug. Thanks again all.
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]
Changed Bug title.
Request was from Stephen Gran <sgran@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#333566; Package libclamav1.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #33 received at 333566@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
So, it looks like this is the patch that fixes the infinite loop.
Comments, etc, appreciated. Security folks, does this look to you like
it does the job, and can I upload it for sarge?
No word about a new upstream for sid. Will probably apply manually.
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[CAN-2005-3239.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Message sent on to Marcin Owsiany <marcin@owsiany.pl>:
Bug#333566.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#333566; Package libclamav1.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>.
(full text, mbox, link).
Message #41 received at 333566@bugs.debian.org (full text, mbox, reply):
* Stephen Gran:
> So, it looks like this is the patch that fixes the infinite loop.
> Comments, etc, appreciated. Security folks, does this look to you like
> it does the job, and can I upload it for sarge?
This is basically a reimplementation of mpz_setbit and friends. If
GMP is a mandatory build dependency of ClamAV, these functions should
probably be used instead.
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#333566; Package libclamav1.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #46 received at 333566@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This one time, at band camp, Florian Weimer said:
> * Stephen Gran:
>
> > So, it looks like this is the patch that fixes the infinite loop.
> > Comments, etc, appreciated. Security folks, does this look to you like
> > it does the job, and can I upload it for sarge?
>
> This is basically a reimplementation of mpz_setbit and friends. If
> GMP is a mandatory build dependency of ClamAV, these functions should
> probably be used instead.
It is a build dep in Debian, because otherwise you get loud complaints
in your log files about being unable to verify the signatures on the
database updates. The normal upstream source builds and runs without it,
but is happier with it.
I think that probably the right thing is to make it a requirement
upstream, so I will speak to them about it.
Thanks,
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#333566; Package libclamav1.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #51 received at 333566@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This one time, at band camp, Florian Weimer said:
> * Stephen Gran:
>
> > So, it looks like this is the patch that fixes the infinite loop.
> > Comments, etc, appreciated. Security folks, does this look to you like
> > it does the job, and can I upload it for sarge?
>
> This is basically a reimplementation of mpz_setbit and friends. If
> GMP is a mandatory build dependency of ClamAV, these functions should
> probably be used instead.
I have discussed this with upstream, and they don't want to make gmp
mandatory (right now it's an option to configure). I have confirmed
that it no longer loops on the file in question. Do we want to go ahead
with this, or no? I am ready for an upload if so.
Thanks,
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]
Message sent on to Marcin Owsiany <marcin@owsiany.pl>:
Bug#333566.
(full text, mbox, link).
Reply sent to Stephen Gran <sgran@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Marcin Owsiany <marcin@owsiany.pl>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #59 received at 333566-close@bugs.debian.org (full text, mbox, reply):
Source: clamav
Source-Version: 0.87.1-1
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:
clamav-base_0.87.1-1_all.deb
to pool/main/c/clamav/clamav-base_0.87.1-1_all.deb
clamav-daemon_0.87.1-1_i386.deb
to pool/main/c/clamav/clamav-daemon_0.87.1-1_i386.deb
clamav-docs_0.87.1-1_all.deb
to pool/main/c/clamav/clamav-docs_0.87.1-1_all.deb
clamav-freshclam_0.87.1-1_i386.deb
to pool/main/c/clamav/clamav-freshclam_0.87.1-1_i386.deb
clamav-milter_0.87.1-1_i386.deb
to pool/main/c/clamav/clamav-milter_0.87.1-1_i386.deb
clamav-testfiles_0.87.1-1_all.deb
to pool/main/c/clamav/clamav-testfiles_0.87.1-1_all.deb
clamav_0.87.1-1.diff.gz
to pool/main/c/clamav/clamav_0.87.1-1.diff.gz
clamav_0.87.1-1.dsc
to pool/main/c/clamav/clamav_0.87.1-1.dsc
clamav_0.87.1-1_i386.deb
to pool/main/c/clamav/clamav_0.87.1-1_i386.deb
clamav_0.87.1.orig.tar.gz
to pool/main/c/clamav/clamav_0.87.1.orig.tar.gz
libclamav-dev_0.87.1-1_i386.deb
to pool/main/c/clamav/libclamav-dev_0.87.1-1_i386.deb
libclamav1_0.87.1-1_i386.deb
to pool/main/c/clamav/libclamav1_0.87.1-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 333566@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 3 Nov 2005 23:21:30 +0000
Source: clamav
Binary: clamav libclamav-dev clamav-milter clamav-base clamav-freshclam clamav-testfiles clamav-daemon libclamav1 clamav-docs
Architecture: source all i386
Version: 0.87.1-1
Distribution: unstable
Urgency: low
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description:
clamav - antivirus scanner for Unix
clamav-base - base package for clamav, an anti-virus utility for Unix
clamav-daemon - antivirus scanner daemon
clamav-docs - documentation package for clamav, an anti-virus utility for Unix
clamav-freshclam - downloads clamav virus databases from the Internet
clamav-milter - antivirus scanner for sendmail
clamav-testfiles - use these files to test that your Antivirus program works
libclamav-dev - clam Antivirus library development files
libclamav1 - virus scanner library
Closes: 322396 330240 333400 333566
Changes:
clamav (0.87.1-1) unstable; urgency=low
.
* New upstream release
- Upstream fix for possible infinite loop
libclamav/tnef.c: IDEF1169]
- Upstream fix for possible infinite loop
libclamav/mspack/cabd.c: IDEF1180]
- Upstream fix for buffer size calculation
libclamav/fsg.c: ZDI-CAN-004]
- Upstream fix for possible infinite loop
libclamav/others.c,h, libclamav/ole2_extract.c: CAN-2005-3239]
(closes: #333566)
- Upstream fix for boundary checks
libclamav/petite.c]
- Upstream fix to scan attachments that have no file names
libclamav/mbox.c]
* Some more lsb changes to init scripts
* New Translations:
- it (Thanks Cristian Rigamonti <cri@linux.it>)(closes: #330240)
- sv (Thanks Daniel Nylander <po@danielnylander.se>)(closes: #333400)
* Move to dpatch for patch management, and add build-dependencies (dpatch
and cpp)
* Apply patch for bus error on sparc in zzip routines (closes: #322396)
Files:
38cde2f3590f4512a314de2b3ac75f2e 875 utils optional clamav_0.87.1-1.dsc
bf9f038edf0b6d5f76552e1b8d014b81 4468992 utils optional clamav_0.87.1.orig.tar.gz
1db07c66d0d83a4c47e8715c2e7cf2b2 467697 utils optional clamav_0.87.1-1.diff.gz
264744d2f0e1ff5e70f72c9e11c68064 168582 utils optional clamav-base_0.87.1-1_all.deb
303256fba60b651617b168aa90b88b00 127758 utils optional clamav-testfiles_0.87.1-1_all.deb
dcf9b25c4d279133b0a7a5276b49b36e 795146 utils optional clamav-docs_0.87.1-1_all.deb
ccad02c67f00bf678c6c1ae360a3259a 258530 libs optional libclamav1_0.87.1-1_i386.deb
77bfd295cb6b7f7db642ce369ac3439e 65456 utils optional clamav_0.87.1-1_i386.deb
2859c7c5aafecddb18ea84abd4466741 38450 utils optional clamav-daemon_0.87.1-1_i386.deb
acec551989ab1f0025979dca3e3c851e 2771638 utils optional clamav-freshclam_0.87.1-1_i386.deb
fed04b33e8f41dbf63e48e2c3cc6a447 37854 utils extra clamav-milter_0.87.1-1_i386.deb
f1ea9b5693aefdc77d69ad5eb59edde4 159284 libdevel optional libclamav-dev_0.87.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDarEgSYIMHOpZA44RAnd3AJ990y6B9d1yiTByFX8y+jYxTonHIACggHvm
xBA7Kt3txmSu8FPWb4PqDG0=
=5GjH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 13:58:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 2 00:42:10 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.