Bug 442360 (CVE-2008-1100) - CVE-2008-1100 clamav: Upack Processing Buffer Overflow Vulnerability
Summary: CVE-2008-1100 clamav: Upack Processing Buffer Overflow Vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1100
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 442362 442363 442364
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-14 15:23 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-19 10:49:09 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2008-04-14 15:23:30 UTC
Quoting Secunia advisory:

Description:
Secunia Research has discovered a vulnerability in ClamAV, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "cli_scanpe()"
function in libclamav/pe.c. This can be exploited to cause a heap-based buffer
overflow via a specially crafted "Upack" executable.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in versions 0.92 and 0.92.1. Prior versions may
also be affected.

Solution:
An updated version should be available shortly. The PE scanning module has been
remotely switched off after 10/03/2008.

Do not scan untrusted PE files.

Provided and/or discovered by:
Alin Rad Pop, Secunia Research.

References:
http://secunia.com/advisories/29000/
http://secunia.com/secunia_research/2008-11/advisory/

Comment 1 Tomas Hoger 2008-04-14 15:24:57 UTC
Upstream 0.93 final is not yet available.

Comment 2 Robert Scheck 2008-04-14 15:30:39 UTC
Affects Fedora 7, 8, 9/Rawhide as well as EPEL 4 and 5.

Comment 4 Robert Scheck 2008-04-14 20:54:17 UTC
Build Result: 38757 - clamav on fedora-4-epel (38757-clamav-0.93-1.el4)
Build Result: 38756 - clamav on fedora-5-epel (38756-clamav-0.93-1.el5)

Comment 5 Enrico Scholz 2008-04-15 00:46:11 UTC
you know that clamav-0.93 contains API + configuration file changes and shipping
this version would violate EPEL guidelines?

Comment 6 Robert Scheck 2008-04-15 06:14:35 UTC
Well, just same like 0.8x -> 0.9x, but unfortunately not really avoidable. In
the past, clamav already had to ignore this part of the guideline (guideline !=
policy) some times, because upstream is just doing fscking release management.

Comment 7 Tomas Hoger 2008-04-15 08:24:34 UTC
Patch for this issue is now committed in upstream SVN:

svn diff -c 3788 http://svn.clamav.net/svn/clamav-devel/trunk/libclamav/pe.c

However, according to ChangeLog, 0.93 fixed couple more issues.  At least one
overflow and couple of crasher bugs...

Mon Apr 14 21:35:11 CEST 2008 (tk)
----------------------------------
  * Check in 0.93 patches:
    - libclamunrar: bb#541 (RAR - Version required to extract - Evasion)
    - libclamav/spin.c: bb#876 (PeSpin Heap Overflow Vulnerability)
    - libclamav/pe.c: bb#878 (Upack Buffer Overflow Vulnerability)
    - libclamav/message.c: bb#881 (message.c: read beyond allocated region)
    - libclamav/unarj.c: bb#897 (ARJ: Sample from CERT-FI hangs clamav)
    - libclamunrar: bb#898 (RAR crashes on some fuzzed files from CERT-FI)

http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog

Seems all changes were committed in revision 3788 if you want to extract
individual patches.

Comment 8 Fedora Update System 2008-04-25 11:18:03 UTC
clamav-0.92.1-2.fc7 has been submitted as an update for Fedora 7

Comment 9 Fedora Update System 2008-04-29 20:56:16 UTC
clamav-0.92.1-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2008-04-29 21:01:24 UTC
clamav-0.92.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2008-05-13 15:17:39 UTC
clamav-0.93-1.fc9 has been submitted as an update for Fedora 9

Comment 12 Fedora Update System 2008-05-14 22:09:02 UTC
clamav-0.93-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.