Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <51787FC3.2050908@redhat.com>
Date: Wed, 24 Apr 2013 18:58:43 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, Jan Lieskovsky <jlieskov@...hat.com>,
        Felix Groebert <groebert@...gle.com>,
        "Steven M. Christey" <coley@...us.mitre.org>, draynor@...rcefire.com
Subject: Re: Multiple potential security issues fixed in ClamAV
 0.97.8 - any further details?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2013 07:49 AM, Henri Salo wrote:
> On Wed, Apr 24, 2013 at 07:59:04AM -0400, Jan Lieskovsky wrote:
>> Hello Felix,
>> 
>> this is due the ClamAV 0.97.8 release: [1]
>> http://blog.clamav.net/2013/04/clamav-0978-has-been-released.html
>>
>> 
[2] https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog
>> [3] https://bugzilla.redhat.com/show_bug.cgi?id=956176 [4]
>> https://bugzilla.novell.com/show_bug.cgi?id=816865
>> 
>> Could you clarify how many and what kind of possible security
>> issues has been corrected within this release? (so we would know
>> how many CVE identifiers should be allocated to these)
>> 
>> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
>> Security Response Team
> 
> Information from Joel Esler. No CVEs assigned yet.

Well since no-one seems to be willing to answer/help on this =(

> commit 270e368b99e93aa5447d46c797c92c3f9f39f375

libclamav/pe.c
- -               if(upxfn(src, ssize, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)
- -                   upx_success = 1;
- -
- -           } else {
+           }
+           else if(skew > ssize) {
+               /* Ignore suggested skew larger than section size */
+               cli_dbgmsg("UPX: Ignoring bad skew of %d bytes\n", skew);
+               skew = 0;
+           }
+           else {
                cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew);
- -               if(upxfn(src + skew, ssize - skew, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 ||
upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i +
1].rva, v
- -                   upx_success = 1;
+           }
+
+           if(upxfn(src + skew, ssize - skew, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 ||
upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i +
1].rva, vep)
+               upx_success = 1;
+           }
+           else if(skew && (upxfn(src, ssize, dest, &dsize,
exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)) {
+               upx_success = 1;

Seems like a pretty classic buffer overflow.

> commit 24ff855c82d3f5c62bc5788a5776cefbffce2971

libclamav/pdf.c
@@ -1262,7 +1269,7 @@ static void check_user_password(struct
pdf_struct *pdf, int R, const char *O,
- -    } else {
+    } else if ((R >= 2) && (R <= 4)) {

+       if (length > 128)
+           length = 128;
        if (R >= 3) {
- -           if (length > 128)
- -               length = 128;

+    else {
+       /* Supported R is in {2,3,4,5} */
+       cli_dbgmsg("cli_pdf: R value out of range\n");
+       return;
+    }

+       if ((R > 5) || (R < 2)) {
+           cli_dbgmsg("cli_pdf: R value outside supported range
[2..5]\n");
+           break;
+       }

Seems like a pretty classic logic error.


> commit c6870a6c857dd722dffaf6d37ae52ec259d12492

libclamav/sis.c
@@ -193,7 +193,7 @@ static char *getsistring(FILE *f, uint32_t ptr,
uint32_t len) {
- -  name = cli_malloc(len);
+  name = cli_malloc(len+1);

Seems like a classic off by one.

> commit 3cbd8b5668bd0f262a8c00b1fd57eb03c117b00a

libclamav/pe_icons.c
    libclamav/pe_icons.c: introduce LOGPARSEICONDETAILS define to
reduce parseicon logging in default build

how is this security related?

> --- Henri Salo

Are there maybe some more commits covering these (the last one has me
stumped).



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJReH/DAAoJEBYNRVNeJnmT5kgQALUa7Oe+T0PYxIWcM+ICRaZ8
7d196rwux93+YBd/wwxdjkW3Ad6mMl4cGg6Rfr1QX2MQhKMDySmNA0ETYr8kpC/t
xk+yTRaRo5iQjVUtHekbeviYRSw+jpKj1oXvlvWJWmEESyb44WH4JSG29svF0iuo
41J/2efMah67L2F3tnmzKGqymFlry6XOGriPwZVb7Sr/mfXlQOTbvmPZudXS7Dfj
s2R5SK1rZmpbseKdLVsBZH3ZfIXnxKvXZuLAM4caZqs7dAeortjdXD8npSjH4nQC
aAqaPfiOp1KxYz4jX31WW3BqTukfOXw1KCa4h5ITm5YuRKwIIf524Lr+R8KskqVY
cA7igoqieGfx/gaugc7cH90MdQ196ADc+IZIR1+h9g2XgSVgHEwnCBfFmzRpemJA
EHylIZGDkxghBgLwkGpga7IqQKcvECuzeVAwtyrgAxxkNYaoIjezIolTcOlDt3+m
Jk45snLVdqyeof1OU/O0lhIblEE/NmeYHez8tIUgn+XN79vJL7mEK4u37bWVLLSu
wcPKss2yhNuI/Wqr3yCkSxeFG7kdCxWiBWCuQtNFCsec/YGPqLm+Rxni/MjhRHSW
25o6aqShJCEcp+jwiY5JrT15+FA1j8DRNSRR47uehlhu5wFtYdxAQxPcSAkvHvuN
s0e1io+rmH3BHyxbTq61
=Vjcd
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.