Debian Bug report logs - #507624
clamav: recursive stack overflow in jpeg parsing code

version graph

Package: clamav; Maintainer for clamav is ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>; Source for clamav is src:clamav.

Reported by: "Michael Gilbert" <michael.s.gilbert@gmail.com>

Date: Wed, 3 Dec 2008 02:06:01 UTC

Severity: grave

Tags: fixed-upstream, security

Found in versions clamav/0.90.1dfsg-4etch15, clamav/0.94.dfsg-1

Fixed in versions clamav/0.94.dfsg.2-1, clamav/0.90.1dfsg-4etch16

Done: Stephen Gran <sgran@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#507624; Package clamav. (Wed, 03 Dec 2008 02:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>.

Your message had a Version: pseudo-header with an invalid package version:

0.90.1dfsg-4etch15 , 0.94.dfsg-1 , 0.94.dfsg.2-1

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

(Wed, 03 Dec 2008 02:06:03 GMT) Full text and rfc822 format available.


Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: clamav: recursive stack overflow in jpeg parsing code
Date: Tue, 2 Dec 2008 21:04:33 -0500
Package: clamav
Version: 0.90.1dfsg-4etch15 , 0.94.dfsg-1 , 0.94.dfsg.2-1
Severity: grave
Tags: security
Justification: user security hole

ubuntu recently issued a security notice for clamav [1] that fixes a
recursive stack overflow problem in the jpeg parsing code.  there is no CVE
id at this point, and the problem is already fixed upstream in clamav
version 0.94.2.  further details can be found in the ubuntu bug log [2].
they issued fixes insanely fast on this one (within twenty-seven hours of the
initial report) -- very commendable.

thanks for working to keep debian secure.

[1] http://www.ubuntu.com/usn/usn-684-1
[2] https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/304017




Information forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#507624; Package clamav. (Wed, 03 Dec 2008 02:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Wed, 03 Dec 2008 02:18:04 GMT) Full text and rfc822 format available.

Message #10 received at 507624@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: 507624@bugs.debian.org, control@bugs.debian.org
Date: Tue, 2 Dec 2008 21:15:11 -0500
tag 507624 fixed-upstream
found 0.90.1dfsg-4etch15
found 0.94.dfsg-1
found 0.94.dfsg.2-1
thank you




Tags added: fixed-upstream Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Wed, 03 Dec 2008 02:18:06 GMT) Full text and rfc822 format available.

Bug marked as found in version 0.90.1dfsg-4etch15. Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Wed, 03 Dec 2008 02:21:02 GMT) Full text and rfc822 format available.

Bug marked as found in version 0.94.dfsg-1. Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Wed, 03 Dec 2008 02:21:02 GMT) Full text and rfc822 format available.

Bug marked as found in version 0.94.dfsg.2-1. Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Wed, 03 Dec 2008 02:21:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#507624; Package clamav. (Wed, 03 Dec 2008 03:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Scott Kitterman <scott@kitterman.com>:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Wed, 03 Dec 2008 03:06:03 GMT) Full text and rfc822 format available.

Message #23 received at 507624@bugs.debian.org (full text, mbox):

From: Scott Kitterman <scott@kitterman.com>
To: pkg-clamav-devel@lists.alioth.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>, 507624@bugs.debian.org
Subject: Re: [Pkg-clamav-devel] Bug#507624: clamav: recursive stack overflow in jpeg parsing code
Date: Tue, 2 Dec 2008 22:00:22 -0500
The fix is in trunk/libclamav/special.c in th clamav svn.  Look at the diff 
between revs 4291 and 4483.  




Bug no longer marked as found in version 0.94.dfsg.2-1. Request was from Michael Tautschnig <mt@debian.org> to control@bugs.debian.org. (Wed, 03 Dec 2008 04:18:02 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 0.94.dfsg.2-1. Request was from Michael Tautschnig <mt@debian.org> to control@bugs.debian.org. (Wed, 03 Dec 2008 04:18:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#507624; Package clamav. (Wed, 03 Dec 2008 05:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Leonel Nunez" <listas@enelserver.com>:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Wed, 03 Dec 2008 05:06:02 GMT) Full text and rfc822 format available.

Message #32 received at 507624@bugs.debian.org (full text, mbox):

From: "Leonel Nunez" <listas@enelserver.com>
To: "Scott Kitterman" <scott@kitterman.com>
Cc: pkg-clamav-devel@lists.alioth.debian.org, "Michael Gilbert" <michael.s.gilbert@gmail.com>, 507624@bugs.debian.org
Subject: Re: [Pkg-clamav-devel] Bug#507624: clamav: recursive stack overflow in jpeg parsing code
Date: Tue, 2 Dec 2008 21:55:35 -0700 (MST)
> The fix is in trunk/libclamav/special.c in th clamav svn.  Look at the
> diff
> between revs 4291 and 4483.
>
> _______________________________________________
> Pkg-clamav-devel mailing list
> Pkg-clamav-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-clamav-devel
>


I guess there are more changes  since the special.c  makes reference to 2
variables

one for example is :

maxreclevel is now on cl_engine struct  and was in cl_limits on clamav.h

and in :
http://svn.clamav.net/websvn/listing.php?repname=clamav-devel&path=%2Ftrunk%2Flibclamav%2F&rev=4483&sc=1

There's no mention about that change

Leonel






Information forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#507624; Package clamav. (Wed, 03 Dec 2008 06:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Tautschnig <mt@debian.org>:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Wed, 03 Dec 2008 06:42:02 GMT) Full text and rfc822 format available.

Message #37 received at 507624@bugs.debian.org (full text, mbox):

From: Michael Tautschnig <mt@debian.org>
To: control@bugs.debian.org, 507624@bugs.debian.org
Subject: Fix prepared
Date: Tue, 2 Dec 2008 22:37:48 -0800
[Message part 1 (text/plain, inline)]
tag 507624 + pending
thanks

A patch for this bug has been prepared and is sitting in our git repo, ready to
get uploaded once we get approval.

Best,
Michael

[Message part 2 (application/pgp-signature, inline)]

Tags added: pending Request was from Michael Tautschnig <mt@debian.org> to control@bugs.debian.org. (Wed, 03 Dec 2008 06:42:03 GMT) Full text and rfc822 format available.

Reply sent to Stephen Gran <sgran@debian.org>:
You have taken responsibility. (Fri, 05 Dec 2008 20:00:17 GMT) Full text and rfc822 format available.

Notification sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Fri, 05 Dec 2008 20:00:17 GMT) Full text and rfc822 format available.

Message #44 received at 507624-close@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: 507624-close@bugs.debian.org
Subject: Bug#507624: fixed in clamav 0.90.1dfsg-4etch16
Date: Fri, 05 Dec 2008 19:52:40 +0000
Source: clamav
Source-Version: 0.90.1dfsg-4etch16

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:

clamav-base_0.90.1dfsg-4etch16_all.deb
  to pool/main/c/clamav/clamav-base_0.90.1dfsg-4etch16_all.deb
clamav-daemon_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_amd64.deb
clamav-dbg_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_amd64.deb
clamav-docs_0.90.1dfsg-4etch16_all.deb
  to pool/main/c/clamav/clamav-docs_0.90.1dfsg-4etch16_all.deb
clamav-freshclam_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_amd64.deb
clamav-milter_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_amd64.deb
clamav-testfiles_0.90.1dfsg-4etch16_all.deb
  to pool/main/c/clamav/clamav-testfiles_0.90.1dfsg-4etch16_all.deb
clamav_0.90.1dfsg-4etch16.diff.gz
  to pool/main/c/clamav/clamav_0.90.1dfsg-4etch16.diff.gz
clamav_0.90.1dfsg-4etch16.dsc
  to pool/main/c/clamav/clamav_0.90.1dfsg-4etch16.dsc
clamav_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/clamav_0.90.1dfsg-4etch16_amd64.deb
libclamav-dev_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_amd64.deb
libclamav2_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 507624@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 03 Dec 2008 11:08:39 -0800
Source: clamav
Binary: clamav libclamav-dev clamav-dbg clamav-milter clamav-base clamav-freshclam clamav-testfiles clamav-daemon libclamav2 clamav-docs
Architecture: source amd64 all
Version: 0.90.1dfsg-4etch16
Distribution: stable-security
Urgency: high
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description: 
 clamav     - antivirus scanner for Unix
 clamav-base - base package for clamav, an anti-virus utility for Unix
 clamav-daemon - antivirus scanner daemon
 clamav-dbg - debug symbols for clamav
 clamav-docs - documentation package for clamav, an anti-virus utility for Unix
 clamav-freshclam - downloads clamav virus databases from the Internet
 clamav-milter - antivirus scanner for sendmail
 clamav-testfiles - use these files to test that your Antivirus program works
 libclamav-dev - clam Antivirus library development files
 libclamav2 - virus scanner library
Closes: 505134 507624
Changes: 
 clamav (0.90.1dfsg-4etch16) stable-security; urgency=high
 .
   * [CVE-2008-5050]: libclamav/vba_extract.c: possible buffer overflow
     (Closes: #505134)
   * [CVE-2008-5314]: libclamav/special.c: respect recursion limits in
     cli_check_jpeg_exploit() (Closes: #507624)
Files: 
 ebc60299a69aab41dfdb77e667e2857c 908 utils optional clamav_0.90.1dfsg-4etch16.dsc
 5ae1da1b6351a13b5c385919960ca9b7 216130 utils optional clamav_0.90.1dfsg-4etch16.diff.gz
 63e3898029276baf914fafa347747996 201408 utils optional clamav-base_0.90.1dfsg-4etch16_all.deb
 189a55ca25bdf9e03a0ae3b9f4a565e9 158564 utils optional clamav-testfiles_0.90.1dfsg-4etch16_all.deb
 5d316f2ea821b441971b0e05e58e481d 1003722 utils optional clamav-docs_0.90.1dfsg-4etch16_all.deb
 6207bf783731c636eaa192d696466a88 341684 libs optional libclamav2_0.90.1dfsg-4etch16_amd64.deb
 bc8b467814eb5b76b6a165ee7abbbb7d 856672 utils optional clamav_0.90.1dfsg-4etch16_amd64.deb
 99ba1e041488e76a7d6e457ed51536f0 179200 utils optional clamav-daemon_0.90.1dfsg-4etch16_amd64.deb
 cd9f623cfb4f23d1777cf21e830d74b2 9302094 utils optional clamav-freshclam_0.90.1dfsg-4etch16_amd64.deb
 c2aa51b550584931f3f1b7b1f6df6508 177968 utils extra clamav-milter_0.90.1dfsg-4etch16_amd64.deb
 e0db968192096ac9215ab676b5750c7d 355706 libdevel optional libclamav-dev_0.90.1dfsg-4etch16_amd64.deb
 5e87c000b193a1d25e03580496b91fc2 594608 utils extra clamav-dbg_0.90.1dfsg-4etch16_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkk23UYACgkQvx6dH3bVKsTRRACgsWpbojk4+KJ9RFG/bM955F4A
5mkAni4qjTCXzElXZTnyyivsKkf+rm8B
=HHZI
-----END PGP SIGNATURE-----





Reply sent to Stephen Gran <sgran@debian.org>:
You have taken responsibility. (Wed, 17 Dec 2008 21:19:50 GMT) Full text and rfc822 format available.

Notification sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Wed, 17 Dec 2008 21:19:51 GMT) Full text and rfc822 format available.

Message #49 received at 507624-close@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: 507624-close@bugs.debian.org
Subject: Bug#507624: fixed in clamav 0.90.1dfsg-4etch16
Date: Wed, 17 Dec 2008 21:02:51 +0000
Source: clamav
Source-Version: 0.90.1dfsg-4etch16

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:

clamav-base_0.90.1dfsg-4etch16_all.deb
  to pool/main/c/clamav/clamav-base_0.90.1dfsg-4etch16_all.deb
clamav-daemon_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_amd64.deb
clamav-dbg_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_amd64.deb
clamav-docs_0.90.1dfsg-4etch16_all.deb
  to pool/main/c/clamav/clamav-docs_0.90.1dfsg-4etch16_all.deb
clamav-freshclam_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_amd64.deb
clamav-milter_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_amd64.deb
clamav-testfiles_0.90.1dfsg-4etch16_all.deb
  to pool/main/c/clamav/clamav-testfiles_0.90.1dfsg-4etch16_all.deb
clamav_0.90.1dfsg-4etch16.diff.gz
  to pool/main/c/clamav/clamav_0.90.1dfsg-4etch16.diff.gz
clamav_0.90.1dfsg-4etch16.dsc
  to pool/main/c/clamav/clamav_0.90.1dfsg-4etch16.dsc
clamav_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/clamav_0.90.1dfsg-4etch16_amd64.deb
libclamav-dev_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_amd64.deb
libclamav2_0.90.1dfsg-4etch16_amd64.deb
  to pool/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 507624@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 03 Dec 2008 11:08:39 -0800
Source: clamav
Binary: clamav libclamav-dev clamav-dbg clamav-milter clamav-base clamav-freshclam clamav-testfiles clamav-daemon libclamav2 clamav-docs
Architecture: source amd64 all
Version: 0.90.1dfsg-4etch16
Distribution: stable-security
Urgency: high
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description: 
 clamav     - antivirus scanner for Unix
 clamav-base - base package for clamav, an anti-virus utility for Unix
 clamav-daemon - antivirus scanner daemon
 clamav-dbg - debug symbols for clamav
 clamav-docs - documentation package for clamav, an anti-virus utility for Unix
 clamav-freshclam - downloads clamav virus databases from the Internet
 clamav-milter - antivirus scanner for sendmail
 clamav-testfiles - use these files to test that your Antivirus program works
 libclamav-dev - clam Antivirus library development files
 libclamav2 - virus scanner library
Closes: 505134 507624
Changes: 
 clamav (0.90.1dfsg-4etch16) stable-security; urgency=high
 .
   * [CVE-2008-5050]: libclamav/vba_extract.c: possible buffer overflow
     (Closes: #505134)
   * [CVE-2008-5314]: libclamav/special.c: respect recursion limits in
     cli_check_jpeg_exploit() (Closes: #507624)
Files: 
 ebc60299a69aab41dfdb77e667e2857c 908 utils optional clamav_0.90.1dfsg-4etch16.dsc
 5ae1da1b6351a13b5c385919960ca9b7 216130 utils optional clamav_0.90.1dfsg-4etch16.diff.gz
 63e3898029276baf914fafa347747996 201408 utils optional clamav-base_0.90.1dfsg-4etch16_all.deb
 189a55ca25bdf9e03a0ae3b9f4a565e9 158564 utils optional clamav-testfiles_0.90.1dfsg-4etch16_all.deb
 5d316f2ea821b441971b0e05e58e481d 1003722 utils optional clamav-docs_0.90.1dfsg-4etch16_all.deb
 6207bf783731c636eaa192d696466a88 341684 libs optional libclamav2_0.90.1dfsg-4etch16_amd64.deb
 bc8b467814eb5b76b6a165ee7abbbb7d 856672 utils optional clamav_0.90.1dfsg-4etch16_amd64.deb
 99ba1e041488e76a7d6e457ed51536f0 179200 utils optional clamav-daemon_0.90.1dfsg-4etch16_amd64.deb
 cd9f623cfb4f23d1777cf21e830d74b2 9302094 utils optional clamav-freshclam_0.90.1dfsg-4etch16_amd64.deb
 c2aa51b550584931f3f1b7b1f6df6508 177968 utils extra clamav-milter_0.90.1dfsg-4etch16_amd64.deb
 e0db968192096ac9215ab676b5750c7d 355706 libdevel optional libclamav-dev_0.90.1dfsg-4etch16_amd64.deb
 5e87c000b193a1d25e03580496b91fc2 594608 utils extra clamav-dbg_0.90.1dfsg-4etch16_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkk23UYACgkQvx6dH3bVKsTRRACgsWpbojk4+KJ9RFG/bM955F4A
5mkAni4qjTCXzElXZTnyyivsKkf+rm8B
=HHZI
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 15 Jan 2009 07:27:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 00:02:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.