Bug 442360 (CVE-2008-1100)

Summary: CVE-2008-1100 clamav: Upack Processing Buffer Overflow Vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: redhat-bugzilla, rh-bugzilla, robert.scheck, steve
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-19 10:49:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 442362, 442363, 442364    
Bug Blocks:    

Description Tomas Hoger 2008-04-14 15:23:30 UTC 
Quoting Secunia advisory:

Description:
Secunia Research has discovered a vulnerability in ClamAV, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "cli_scanpe()"
function in libclamav/pe.c. This can be exploited to cause a heap-based buffer
overflow via a specially crafted "Upack" executable.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in versions 0.92 and 0.92.1. Prior versions may
also be affected.

Solution:
An updated version should be available shortly. The PE scanning module has been
remotely switched off after 10/03/2008.

Do not scan untrusted PE files.

Provided and/or discovered by:
Alin Rad Pop, Secunia Research.

References:
http://secunia.com/advisories/29000/
http://secunia.com/secunia_research/2008-11/advisory/
Comment 1 Tomas Hoger 2008-04-14 15:24:57 UTC 
Upstream 0.93 final is not yet available.
Comment 2 Robert Scheck 2008-04-14 15:30:39 UTC 
Affects Fedora 7, 8, 9/Rawhide as well as EPEL 4 and 5.
Comment 4 Robert Scheck 2008-04-14 20:54:17 UTC 
Build Result: 38757 - clamav on fedora-4-epel (38757-clamav-0.93-1.el4)
Build Result: 38756 - clamav on fedora-5-epel (38756-clamav-0.93-1.el5)
Comment 5 Enrico Scholz 2008-04-15 00:46:11 UTC 
you know that clamav-0.93 contains API + configuration file changes and shipping
this version would violate EPEL guidelines?
Comment 6 Robert Scheck 2008-04-15 06:14:35 UTC 
Well, just same like 0.8x -> 0.9x, but unfortunately not really avoidable. In
the past, clamav already had to ignore this part of the guideline (guideline !=
policy) some times, because upstream is just doing fscking release management.
Comment 7 Tomas Hoger 2008-04-15 08:24:34 UTC 
Patch for this issue is now committed in upstream SVN:

svn diff -c 3788 http://svn.clamav.net/svn/clamav-devel/trunk/libclamav/pe.c

However, according to ChangeLog, 0.93 fixed couple more issues.  At least one
overflow and couple of crasher bugs...

Mon Apr 14 21:35:11 CEST 2008 (tk)
----------------------------------
  * Check in 0.93 patches:
    - libclamunrar: bb#541 (RAR - Version required to extract - Evasion)
    - libclamav/spin.c: bb#876 (PeSpin Heap Overflow Vulnerability)
    - libclamav/pe.c: bb#878 (Upack Buffer Overflow Vulnerability)
    - libclamav/message.c: bb#881 (message.c: read beyond allocated region)
    - libclamav/unarj.c: bb#897 (ARJ: Sample from CERT-FI hangs clamav)
    - libclamunrar: bb#898 (RAR crashes on some fuzzed files from CERT-FI)

http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog

Seems all changes were committed in revision 3788 if you want to extract
individual patches.
Comment 8 Fedora Update System 2008-04-25 11:18:03 UTC 
clamav-0.92.1-2.fc7 has been submitted as an update for Fedora 7
Comment 9 Fedora Update System 2008-04-29 20:56:16 UTC 
clamav-0.92.1-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-04-29 21:01:24 UTC 
clamav-0.92.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-05-13 15:17:39 UTC 
clamav-0.93-1.fc9 has been submitted as an update for Fedora 9
Comment 12 Fedora Update System 2008-05-14 22:09:02 UTC 
clamav-0.93-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Red Hat Product Security 2008-06-19 10:49:09 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3358
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3420
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3900