Hello community, here is the log from the commit of package clamav for openSUSE:Factory checked in at 2018-02-22 15:01:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/clamav (Old) and /work/SRC/openSUSE:Factory/.clamav.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "clamav" Thu Feb 22 15:01:15 2018 rev:92 rq:578702 version:0.99.3 Changes: -------- --- /work/SRC/openSUSE:Factory/clamav/clamav.changes 2018-02-14 10:52:46.283201713 +0100 +++ /work/SRC/openSUSE:Factory/.clamav.new/clamav.changes 2018-02-22 15:01:18.744450764 +0100 @@ -1,0 +2,7 @@ +Wed Feb 14 12:21:39 UTC 2018 - [email protected] + +- bsc#1045490, CVE-2012-6706: VMSF_DELTA filter in libclamunrar + allows arbitrary memory write (clamav-CVE-2012-6706.patch). +- Buildrequire curl-devel to enable clamsubmit. + +------------------------------------------------------------------- New: ---- clamav-CVE-2012-6706.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ clamav.spec ++++++ --- /var/tmp/diff_new_pack.sm1hcT/_old 2018-02-22 15:01:20.120401264 +0100 +++ /var/tmp/diff_new_pack.sm1hcT/_new 2018-02-22 15:01:20.124401120 +0100 @@ -33,6 +33,7 @@ BuildRequires: automake BuildRequires: check-devel BuildRequires: libbz2-devel +BuildRequires: libcurl-devel BuildRequires: libopenssl-devel BuildRequires: libtool BuildRequires: libxml2-devel @@ -62,6 +63,7 @@ Patch3: clamav-gcc47.patch Patch4: clamav-disable-timestamps.patch Patch5: clamav-fix_newer_zlib.patch +Patch6: clamav-CVE-2012-6706.patch BuildRequires: systemd BuildRequires: systemd-rpm-macros %systemd_requires @@ -102,6 +104,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 %build CFLAGS="-fstack-protector" ++++++ clamav-CVE-2012-6706.patch ++++++ --- libclamunrar/unrarvm.c.orig +++ libclamunrar/unrarvm.c @@ -26,6 +26,13 @@ #include "libclamunrar/unrarvm.h" #include "libclamunrar/unrarcmd.h" +/* + * Limit maximum number of channels in RAR3 delta filter to some + * reasonable value to prevent too slow processing of corrupt archives + * with invalid channels number. + */ +#define MAX3_UNPACK_CHANNELS 1024 + #ifdef RAR_HIGH_DEBUG #define rar_dbgmsg printf #else @@ -340,8 +347,8 @@ static void filter_itanium_setbits(unsig static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_filters_t filter_type) { unsigned char *data, cmp_byte2, cur_byte, *src_data, *dest_data; - int i, j, data_size, channels, src_pos, dest_pos, border, width, PosR; - int op_type, cur_channel, byte_count, start_pos, pa, pb, pc; + int i, j, op_type, cur_channel, byte_count, start_pos, pa, pb, pc; + unsigned int data_size, channels, src_pos, dest_pos, border, width, PosR; unsigned int file_offset, cur_pos, predicted; int32_t offset, addr; const int file_size=0x1000000; @@ -426,7 +433,7 @@ static void execute_standard_filter(rarv border = data_size*2; SET_VALUE(FALSE, &rarvm_data->mem[VM_GLOBALMEMADDR+0x20], data_size); - if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2) { + if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2 || channels > MAX3_UNPACK_CHANNELS) { break; } for (cur_channel=0 ; cur_channel < channels ; cur_channel++) {
