Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <[email protected]>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #774820,
regarding wheezy-pu: clamav/0.98.5+dfsg-0+deb7u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
774820: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774820
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: [email protected]
Usertags: pu
Dear release team:
I'd like to update the clamav package in Wheezy with the following change:
| * add "mspack-fix-division-by-zero-in-chm-format-handling" to fix divide
| by zero in the chm unpacked. Found & patch by Jakub Wilk (Closes:
#774766).
| * add "mspack-fix-overflow-in-pointer-arithmetic-on-32bit" to avoid overflow
| in pointer arithmetic causing a segfault on 32bit (Closes: #774767).
There are two equivalent bugs open against libmspack which is Jessie+
only.
Attaching a slightly edited .debdiff (the pointless index changes have
been removed).
Sebastian
diff -Nru clamav-0.98.5+dfsg/debian/changelog
clamav-0.98.5+dfsg/debian/changelog
--- clamav-0.98.5+dfsg/debian/changelog 2015-01-04 00:41:33.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/changelog 2015-01-07 21:59:47.000000000 +0100
@@ -1,3 +1,12 @@
+clamav (0.98.5+dfsg-0+deb7u3) stable; urgency=medium
+
+ * add "mspack-fix-division-by-zero-in-chm-format-handling" to fix divide
+ by zero in the chm unpacked. Found & patch by Jakub Wilk (Closes: #774766).
+ * add "mspack-fix-overflow-in-pointer-arithmetic-on-32bit" to avoid overflow
+ in pointer arithmetic causing a segfault on 32bit (Closes: #774767).
+
+ -- Sebastian Andrzej Siewior <[email protected]> Wed, 07 Jan 2015
21:56:21 +0100
+
clamav (0.98.5+dfsg-0+deb7u2) stable; urgency=medium
* Add "libmspack-qtmd-fix-frame_end-overflow" to avoid endless-loop on
diff -Nru clamav-0.98.5+dfsg/debian/.git-dpm clamav-0.98.5+dfsg/debian/.git-dpm
--- clamav-0.98.5+dfsg/debian/.git-dpm 2015-01-04 00:41:33.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/.git-dpm 2015-01-07 21:59:47.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-a0449d2079c4ba5822e6567ad7094c10108f16cd
-a0449d2079c4ba5822e6567ad7094c10108f16cd
+1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830
+1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830
14c3d5ca803fd6baa5ab413e87ca6d6bb2e26a3d
14c3d5ca803fd6baa5ab413e87ca6d6bb2e26a3d
clamav_0.98.5+dfsg.orig.tar.xz
diff -Nru
clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
---
clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
1970-01-01 01:00:00.000000000 +0100
+++
clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
2015-01-07 21:59:48.000000000 +0100
@@ -0,0 +1,30 @@
+From c673c5b4aabdd1d71fe9cc2df67f394e6038404d Mon Sep 17 00:00:00 2001
+From: Jakub Wilk <[email protected]>
+Date: Wed, 7 Jan 2015 14:05:38 +0100
+Subject: mspack: fix division by zero in chm format handling
+
+Fix division by 0 error found by special crated .chm by AFL.
+
+BTS:
+ https://bugs.debian.org/774725
+ https://bugs.debian.org/774766
+
+[bigeasy: patch description]
+Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
+---
+ libclamav/libmspack-0.4alpha/mspack/chmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libclamav/libmspack-0.4alpha/mspack/chmd.c
b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+index 19dc47b..005c930 100644
+--- a/libclamav/libmspack-0.4alpha/mspack/chmd.c
++++ b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+@@ -1123,7 +1123,7 @@ static int chmd_init_decomp(struct mschm_decompressor_p
*self,
+ }
+
+ /* validate reset_interval */
+- if (reset_interval % LZX_FRAME_SIZE) {
++ if (reset_interval % LZX_FRAME_SIZE || !reset_interval) {
+ D(("bad controldata reset interval"))
+ return self->error = MSPACK_ERR_DATAFORMAT;
+ }
diff -Nru
clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
---
clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
1970-01-01 01:00:00.000000000 +0100
+++
clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
2015-01-07 21:59:48.000000000 +0100
@@ -0,0 +1,63 @@
+From 1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <[email protected]>
+Date: Wed, 7 Jan 2015 21:31:36 +0100
+Subject: mspack: fix overflow in pointer arithmetic on 32bit
+
+There are two checks to ensure that the encoded length of the file name does
not
+exceed the length of the memory where it is stored. That check is written as
+ p + name_len > end
+
+in general it works. On 32bit architectures it is possible that a large
name_len
+overflows and p + name_len is less than p and therefore also less than end and
+the check does not catch it.
+Jakub rewrote the check as
+ name_len > end - p
+
+so name_len is compared against the remaining space in the memory chunk.
+
+Additionally Jakub added a check to chmd_read_headers() to avoid accessing
+name[name_len - 1] if it would overflow.
+
+BTS:
+ https://bugs.debian.org/774726
+ https://bugs.debian.org/774767
+
+[bigeasy: patch description]
+Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
+---
+ libclamav/libmspack-0.4alpha/mspack/chmd.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/libclamav/libmspack-0.4alpha/mspack/chmd.c
b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+index 005c930..c38ac92 100644
+--- a/libclamav/libmspack-0.4alpha/mspack/chmd.c
++++ b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+@@ -445,7 +445,9 @@ static int chmd_read_headers(struct mspack_system *sys,
struct mspack_file *fh,
+ num_entries = EndGetI16(end);
+
+ while (num_entries--) {
+- READ_ENCINT(name_len); name = p; p += name_len;
++ READ_ENCINT(name_len);
++ if (name_len > end - p) goto chunk_end;
++ name = p; p += name_len;
+ READ_ENCINT(section);
+ READ_ENCINT(offset);
+ READ_ENCINT(length);
+@@ -746,7 +748,7 @@ static int search_chunk(struct mschmd_header *chm,
+ /* compare filename with entry QR points to */
+ p = &chunk[entries_off + (M ? EndGetI16(start - (M << 1)) : 0)];
+ READ_ENCINT(name_len);
+- if (p + name_len > end) goto chunk_end;
++ if (name_len > end - p) goto chunk_end;
+ cmp = compare(filename, (char *)p, fname_len, name_len);
+
+ if (cmp == 0) break;
+@@ -783,7 +785,7 @@ static int search_chunk(struct mschmd_header *chm,
+ *result = NULL;
+ while (num_entries-- > 0) {
+ READ_ENCINT(name_len);
+- if (p + name_len > end) goto chunk_end;
++ if (name_len > end - p) goto chunk_end;
+ cmp = compare(filename, (char *)p, fname_len, name_len);
+ p += name_len;
+
diff -Nru clamav-0.98.5+dfsg/debian/patches/series
clamav-0.98.5+dfsg/debian/patches/series
--- clamav-0.98.5+dfsg/debian/patches/series 2015-01-04 00:41:33.000000000
+0100
+++ clamav-0.98.5+dfsg/debian/patches/series 2015-01-07 21:59:48.000000000
+0100
@@ -16,3 +16,5 @@
0016-Bump-.so-version-number.patch
0017-llvm-don-t-use-system-libs.patch
0018-libmspack-qtmd-fix-frame_end-overflow.patch
+0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
+0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
--- End Message ---
--- Begin Message ---
Version: 7.9
Hi,
These bugs relate to updates which were included in the 7.9 point
release.
Regards,
Adam
--- End Message ---
