Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

Dominic Hargreaves-2
On Thu, Dec 04, 2008 at 09:26:17AM +0100, Florian Weimer wrote:

> Moritz Jodeit discovered that ClamAV, an anti-virus solution, suffers
> from an off-by-one-error in its VBA project file processing, leading to
> a heap-based buffer overflow and potentially arbitrary code execution
> (CVE-2008-5050).
>
> Ilja van Sprundel discovered that ClamAV contains a denial of service
> condition in its JPEG file processing because it does not limit the
> recursion depth when processing JPEG thumbnails (CVE-2008-5314).
>
> For the stable distribution (etch), these problems have been fixed in
> version 0.90.1dfsg-4etch16.
>
> For the unstable distribution (sid), these problems have been fixed in
> version 0.94.dfsg.2-1.

This looks like quite a serious bug (remote arbitrary code execution).
Are there any plans for an update to volatile?

Thanks,
Dominic.

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

Török Edwin
On 2008-12-05 20:15, Dominic Hargreaves wrote:

> On Thu, Dec 04, 2008 at 09:26:17AM +0100, Florian Weimer wrote:
>
>  
>> Moritz Jodeit discovered that ClamAV, an anti-virus solution, suffers
>> from an off-by-one-error in its VBA project file processing, leading to
>> a heap-based buffer overflow and potentially arbitrary code execution
>> (CVE-2008-5050).
>>
>> Ilja van Sprundel discovered that ClamAV contains a denial of service
>> condition in its JPEG file processing because it does not limit the
>> recursion depth when processing JPEG thumbnails (CVE-2008-5314).
>>
>> For the stable distribution (etch), these problems have been fixed in
>> version 0.90.1dfsg-4etch16.
>>
>> For the unstable distribution (sid), these problems have been fixed in
>> version 0.94.dfsg.2-1.
>>    
>
> This looks like quite a serious bug (remote arbitrary code execution).
> Are there any plans for an update to volatile?

A zero is written past end of allocated heap memory, and not an
arbitrary/attacker-controlled character.
I don't see how you can execute arbitrary code with that.

Best regards,
--Edwin


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

Michael Tautschnig-4
In reply to this post by Dominic Hargreaves-2
[...]
>
> This looks like quite a serious bug (remote arbitrary code execution).
> Are there any plans for an update to volatile?
>

The fixed version has been uploaded to volatile already and got accepted [1],
but probably is still being built!?

Best,
Michael

[1] http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/2008-November/000252.html


attachment0 (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

Mapper ict department
In reply to this post by Dominic Hargreaves-2
DSA-1680-1 clamav -- buffer overflow, stack consumption
Date Reported: 04 Dec 2008
In the Debian bugtracking system: Bug 505134, Bug 507624.
In Mitre's CVE dictionary: CVE-2008-5050, CVE-2008-5314.

Hello,

Im quite new at this so forgive me if i ask stupid questions.

We have Debian Etch with the volatile clamav installed. This is
the version:

0.94.dfsg.1-1~volatile1

That is the one affected if i am not mistaking.

We have the volatile archive in the apt-get sources list:

http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free

But the fix is nor queued nor downloaded.

Isn't it so that apt-get always checks for updates and fixes from programs
previously installed by apt-get? (I guess that is the case with us because
the current version appears with dpkg -l).

Thanks a lot for your answer.

With kind regards,

Tony


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

Johannes Wiedersich-3
Mapper ict department wrote:
> DSA-1680-1 clamav -- buffer overflow, stack consumption
> Date Reported: 04 Dec 2008
> In the Debian bugtracking system: Bug 505134, Bug 507624.
> In Mitre's CVE dictionary: CVE-2008-5050, CVE-2008-5314.

[snip]

> We have the volatile archive in the apt-get sources list:
>
> http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free
>
> But the fix is nor queued nor downloaded.
>
> Isn't it so that apt-get always checks for updates and fixes from programs
> previously installed by apt-get? (I guess that is the case with us because
> the current version appears with dpkg -l).

Have you security support activated for your apt?

Add the line

deb http://security.debian.org/ stable/updates main

to your /etc/apt/sources.list (as described in the security announcement).

HTH,

Johannes



signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

Jim Popovitch
In reply to this post by Mapper ict department
On Tue, Dec 9, 2008 at 17:44, Mapper ict department
<[hidden email]> wrote:

> We have Debian Etch with the volatile clamav installed. This is
> the version:
>
> 0.94.dfsg.1-1~volatile1
>
> That is the one affected if i am not mistaking.
>
> We have the volatile archive in the apt-get sources list:
>
> http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free
>
> But the fix is nor queued nor downloaded.

I am seeing the same thing.  The fix is on volatile.d.o as
clamav_0.94.dfsg.2-1~volatile1, but apt-get upgrade is not recognizing
it.  I don't see it in the Releases file either.

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

Dominic Hargreaves-2
On Tue, Dec 09, 2008 at 11:05:28PM -0500, Jim Popovitch wrote:
> I am seeing the same thing.  The fix is on volatile.d.o as
> clamav_0.94.dfsg.2-1~volatile1, but apt-get upgrade is not recognizing
> it.  I don't see it in the Releases file either.

Looks like it is in the etch-proposed-updates/etch dist, though, if you
wanted it. Volatile admins, is there something wrong with this package
or has it just been forgotten about?

Dominic.

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

Cyril Brulebois-4
Dominic Hargreaves <[hidden email]> (10/12/2008):
> Looks like it is in the etch-proposed-updates/etch dist, though, if
> you wanted it. Volatile admins, is there something wrong with this
> package or has it just been forgotten about?

Correct according to:
http://release.debian.org/proposed-updates/stable.html

Mraw,
KiBi.

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

Dominic Hargreaves-2
On Wed, Dec 10, 2008 at 11:51:49AM +0100, Cyril Brulebois wrote:
> Dominic Hargreaves <[hidden email]> (10/12/2008):
> > Looks like it is in the etch-proposed-updates/etch dist, though, if
> > you wanted it. Volatile admins, is there something wrong with this
> > package or has it just been forgotten about?

(sorry, I mistyped - I meant etch-proposed-updates/volatile) above.

> Correct according to:
> http://release.debian.org/proposed-updates/stable.html

I don't think that's relevant to volatile versions though.

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

Jim Popovitch
On Wed, Dec 10, 2008 at 07:27, Dominic Hargreaves <[hidden email]> wrote:
> I don't think that's relevant to volatile versions though.

To Volatile or Not to Volatile.  That is the question (now).    Is
volatile a dead thing and security now back to real-time updates?

I'm ok with manually downloading, even custom compiling, one or two
apps.  I'm just looking toward the future to better understand how
clam/SA/etc app updates should best be applied to Stable.

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]