> Dear Security Team, > > One of our users has reported a possible DoS against the clamav scanning > engine > (#507624). Upstream has already included a fix in 0.94.2, which is currently > in > unstable and a similar version has been uploaded to etch-volatile already. The > versions in etch and lenny remain affected. For lenny, a patched version could > be prepared easily, but we will rather try to get sid's version released. > > The attached patch provides a fix for etch-security. It does, however, not > include the previously sent patch for #505134. We could upload a package > containing both bugfixes at any time. If you prefer to only include one of > those, this is also prepared easily. >
Unfortunately the previous patch was missing one of the necessary changes. This has been fixed in the new patch, attached to this message. Best, Michael
diff --git a/debian/changelog b/debian/changelog
index 50329c3..a3d029f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,8 +2,10 @@ clamav (0.90.1dfsg-4etch16) stable-security; urgency=high
* libclamav/vba_extract.c: off-by-one error causing possible buffer overflow
(Closes: #505134)
+ * libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit()
+ (Closes: #507624)
- -- Stephen Gran <[EMAIL PROTECTED]> Tue, 11 Nov 2008 22:29:12 +0100
+ -- Stephen Gran <[EMAIL PROTECTED]> Tue, 02 Dec 2008 20:36:31 -0800
clamav (0.90.1dfsg-4etch15) stable-security; urgency=low
diff --git a/debian/patches/00list b/debian/patches/00list
index 27caae2..37b710f 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -24,3 +24,4 @@
46.fd-leak.CVE-2008-3914.dpatch
47.manager.c.CVE-2008-3913.dpatch
48.vba_unicode.c.dpatch
+49.special.c.dpatch
diff --git a/debian/patches/49.special.c.dpatch
b/debian/patches/49.special.c.dpatch
new file mode 100644
index 0000000..068b61d
--- /dev/null
+++ b/debian/patches/49.special.c.dpatch
@@ -0,0 +1,137 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 48.vba_unicode.c.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: get_unicode_name() off-by-one buffer overflow
+
[EMAIL PROTECTED]@
+diff --git a/libclamav/others.h b/libclamav/others.h
+index 66cade9..22df93c 100644
+--- a/libclamav/others.h
++++ b/libclamav/others.h
+@@ -80,6 +80,7 @@ typedef struct {
+ const struct cl_engine *engine;
+ const struct cl_limits *limits;
+ unsigned int options;
++ unsigned int recursion;
+ unsigned int arec;
+ unsigned int mrec;
+ struct cli_dconf *dconf;
+diff --git a/libclamav/scanners.c b/libclamav/scanners.c
+index c4d1d8b..1d53fa6 100644
+--- a/libclamav/scanners.c
++++ b/libclamav/scanners.c
+@@ -1451,13 +1451,13 @@ static int cli_scanriff(int desc, const char **virname)
+ return ret;
+ }
+
+-static int cli_scanjpeg(int desc, const char **virname)
++static int cli_scanjpeg(int desc, cli_ctx *ctx)
+ {
+ int ret = CL_CLEAN;
+
+- if(cli_check_jpeg_exploit(desc) == 1) {
++ if(cli_check_jpeg_exploit(desc, ctx) == 1) {
+ ret = CL_VIRUS;
+- *virname = "Exploit.W32.MS04-028";
++ *ctx->virname = "Exploit.W32.MS04-028";
+ }
+
+ return ret;
+@@ -1905,7 +1905,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
+
+ case CL_TYPE_GRAPHICS:
+ if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG))
+- ret = cli_scanjpeg(desc, ctx->virname);
++ ret = cli_scanjpeg(desc, ctx);
+ break;
+
+ case CL_TYPE_PDF:
+diff --git a/libclamav/special.c b/libclamav/special.c
+index 777f103..2179db4 100644
+--- a/libclamav/special.c
++++ b/libclamav/special.c
+@@ -82,7 +82,7 @@ int cli_check_mydoom_log(int desc, const char **virname)
+ return retval;
+ }
+
+-static int jpeg_check_photoshop_8bim(int fd)
++static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx)
+ {
+ unsigned char bim[5];
+ uint16_t id, ntmp;
+@@ -137,7 +137,7 @@ static int jpeg_check_photoshop_8bim(int fd)
+ /* Jump past header */
+ lseek(fd, 28, SEEK_CUR);
+
+- retval = cli_check_jpeg_exploit(fd);
++ retval = cli_check_jpeg_exploit(fd, ctx);
+ if (retval == 1) {
+ cli_dbgmsg("Exploit found in thumbnail\n");
+ }
+@@ -146,7 +146,7 @@ static int jpeg_check_photoshop_8bim(int fd)
+ return retval;
+ }
+
+-static int jpeg_check_photoshop(int fd)
++static int jpeg_check_photoshop(int fd, cli_ctx *ctx)
+ {
+ int retval;
+ unsigned char buffer[14];
+@@ -163,7 +163,7 @@ static int jpeg_check_photoshop(int fd)
+ cli_dbgmsg("Found Photoshop segment\n");
+ do {
+ old = lseek(fd, 0, SEEK_CUR);
+- retval = jpeg_check_photoshop_8bim(fd);
++ retval = jpeg_check_photoshop_8bim(fd, ctx);
+ new = lseek(fd, 0, SEEK_CUR);
+ if(new <= old)
+ break;
+@@ -175,7 +175,7 @@ static int jpeg_check_photoshop(int fd)
+ return retval;
+ }
+
+-int cli_check_jpeg_exploit(int fd)
++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx)
+ {
+ unsigned char buffer[4];
+ off_t offset;
+@@ -183,6 +183,8 @@ int cli_check_jpeg_exploit(int fd)
+
+
+ cli_dbgmsg("in cli_check_jpeg_exploit()\n");
++ if(ctx->recursion > ctx->limits->maxreclevel)
++ return CL_EMAXREC;
+
+ if (cli_readn(fd, buffer, 2) != 2) {
+ return 0;
+@@ -226,9 +228,11 @@ int cli_check_jpeg_exploit(int fd)
+
+ if (buffer[1] == 0xed) {
+ /* Possible Photoshop file */
+- if ((retval=jpeg_check_photoshop(fd)) != 0) {
++ ctx->recursion++;
++ retval=jpeg_check_photoshop(fd, ctx);
++ ctx->recursion--;
++ if (retval != 0)
+ return retval;
+- }
+ }
+
+ if (lseek(fd, offset, SEEK_SET) != offset) {
+diff --git a/libclamav/special.h b/libclamav/special.h
+index 69aeeb9..de0d3ad 100644
+--- a/libclamav/special.h
++++ b/libclamav/special.h
+@@ -20,8 +20,10 @@
+ #ifndef __SPECIAL_H
+ #define __SPECIAL_H
+
++#include "others.h"
++
+ int cli_check_mydoom_log(int desc, const char **virname);
+-int cli_check_jpeg_exploit(int fd);
++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx);
+ int cli_check_riff_exploit(int fd);
+
+ #endif
pgpfDzcgEYOjN.pgp
Description: PGP signature
_______________________________________________ Pkg-clamav-devel mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-clamav-devel
