Your message dated Thu, 15 Jan 2015 21:17:07 +0000
with message-id <[email protected]>
and subject line Bug#774767: fixed in clamav 0.98.5+dfsg-0+deb7u3
has caused the Debian Bug report #774767,
regarding libmspack: CHM decompression: pointer arithmetic overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
774767: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774767
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libmspack0
Version: 0.4-2
Severity: grave
Tags: security patch
Usertags: afl
The attached patch fixes three pointer arithmetic overflows, which can
later cause buffer over-read. (I'm not familiar with the code base, so
please double-check the patch.)
Two sample CHM files that trigger segfaults, which are caused by the
overflows, are also attached.
This bug does affect ClamAV.
This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libmspack0 depends on:
ii libc6 2.19-13
ii multiarch-support 2.19-13
--
Jakub Wilk
--- a/mspack/chmd.c
+++ b/mspack/chmd.c
@@ -445,7 +445,9 @@
num_entries = EndGetI16(end);
while (num_entries--) {
- READ_ENCINT(name_len); name = p; p += name_len;
+ READ_ENCINT(name_len);
+ if (name_len > end - p) goto chunk_end;
+ name = p; p += name_len;
READ_ENCINT(section);
READ_ENCINT(offset);
READ_ENCINT(length);
@@ -746,7 +748,7 @@
/* compare filename with entry QR points to */
p = &chunk[entries_off + (M ? EndGetI16(start - (M << 1)) : 0)];
READ_ENCINT(name_len);
- if (p + name_len > end) goto chunk_end;
+ if (name_len > end - p) goto chunk_end;
cmp = compare(filename, (char *)p, fname_len, name_len);
if (cmp == 0) break;
@@ -783,7 +785,7 @@
*result = NULL;
while (num_entries-- > 0) {
READ_ENCINT(name_len);
- if (p + name_len > end) goto chunk_end;
+ if (name_len > end - p) goto chunk_end;
cmp = compare(filename, (char *)p, fname_len, name_len);
p += name_len;
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
owFby7M/iSe5KLE4w8TEUi85IzdkjcVrz5BgN2YGBoYEIGYE4rT5nMs4WRgYBP4y
1qyqviA4j4dhwUmlZ28E0fgg9SAgAaUroHSIAIQ+A6X/MUJoF+Vn////Z4ADoL0B
IKkQIOYCCTCBEdgN/5FUgtggMZCbsiYxxeopXhCc+xPihhCoPAwE+Lr7XOZF6APr
1QdyOPSVPV0iPFyCGBvDFzCcJxGcPUeqDkzAwGCjYWXlkliSGFyQmJyqH1ySX5aY
nqrvG+ycn1tQlFpcnJqi75yfV5KaV8KwiKGpXgdNdVFiOoMChuqi/ByQKoYsGU0G
PADTLDSbgVJ5nnlp+QxJHPpgxQkwxeEYiv8zFCXmFaflF+Xq+2QWlzDYqMUTND8E
rqXa3M3ZyMLSxEDX0sXYUNfQ0AXIcsLneGKBEJzFBCaLSxLzklNBDtMPSi1OLQlJ
TMpJZVjiYXASDgiYCEw+LwjZCkybvKS4kg9EcGKVEsCpiQO3ef9/kGI7XvDgP2E1
eMFgcssAgWoGcwY3BmcGIwYLBksGEwYDBl0g7cJgzGAIZBkyGN5zBor9hUY124C4
MTeHoYGBlaEkFZh5eRhYwGLANCwQohzse/FdN7gIZiTRTBYoTao+8gBVbAHm7vfY
hB9hin1DqbpggI0uAL8nvpPl9aEDpEhQi71UxQFWAvF0JIAmzQJn0SdFkw+kydap
gMr9h6FgPRhMXk9V0IPGlybdCFAFTxW34LdFgHIjcAE8FTpe8BlrQUQVwIJPchfn
/+e/E2/8N4kMjzQ7//44r7/YH/333y4u//Fh4++kvFtH57+518cwgYHhuf3Fs88e
ffq+58/vO7N6Ps15X5Tr/U/4vzlDBG7DHWJADTYNIIbVix6wTNeAQjEAAA==
=/A4t
-----END PGP MESSAGE-----
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
owFbKyaSxJNclFicYWFgrJeckRuyxuK1Z0iwGzMDA0MCEDMCcdp8zmWcLAwMAn8Z
a1ZVXxCcx8Ow4KTSszeCaHyQehCQgNIVUDpEAEKfAdLsQPofI1SCgYnh/z0GOADa
GwCSCgFiLpCAAEgF0A3HGRj+AwFMHYgNUgdyU9Ykplg9xQuCc39C3BAClYeBAF93
n8u8CH1gvfpADoe+sqdLhIdLEGOjzwIwL8QJ6ACQonrl4JAgTz/3YMaFNYxAmeDI
4BBXX4ZGtgVVQF6If4CnM1DKRwDICQ3yAaplXJghAuGEOPkwLozh4VbIzEtJrdDL
KGEgDrAqIPMEsCt6TaRhEFCPVRQe9P8f/H9JknkoZv8nrAYMmPBLZxFnigKRYigA
OcXAAPYwwQY4iVCDI5rIUIRDlziUl5vDyNDoI2Jl5ZJYkhhckJicqu+XmJvqk1kM
TF82GsjiwSX5RYnpqfq+wc75uQVFqcXFqSn6zvl5Jal5JQyLGJo8dIhSXZSfA1LF
kCWjiamehQFFPVAqzzMvLZ8hiUOfoOEhRYl5xWn5Rbn6YNfbqMVbWRKtpdrczdnI
wtLEQNfSxdhQ19DQBchyMjLXNTBwNHC2NHS1dDZ3rtX3zCsuScxLTgWZC8rqmSS4
ihwrglKLU0tCEpNyUhmWeBiQFd8QwAgGxKvXoMAuFEAgm1ID/KbUgMiBABUDYusA
A0l8ksCYaKCTO4YEOIRgUpxHdu7csZMEwE5IwR5STKMVYCQTfGRsgLIcSdHGwMD8
glwrRwG1gTIBeWY4y5u2DqEISMMYjrQwXYBoldV0BbW4JEDtaupYsZXqYDv1jYSA
ZdgE1Whg0WliFGFNHu8YqJUksYAGwkqoD0AN04Gwl1oAVrGnU9w0oLCF7oDMwT+8
gMML6IDg8AI2aQV8bkQye8CHFxywiBEG1B1eIAqQP7zwDD68QDOggGBKoEnxMZCc
pr9B6f///3+AsK7gUMnPwAKmORQ4GLJuMVxiYDBhYjA1Zejj+6PUx67QIMApU9Ti
Y9HBzlqteHLXtcyjt3W2se+Wf1Z34VTjux0qqUL1/p8uQZyXwbCEK4D5bOL9yP3f
kutMbqpdV4/rnpXzTf9Wyqmsb+IGn/edOdR7ffX7Zk/enHQh1etiu2RPz9jv+qnt
4N833MsNv9z+cPjxpjeWCbFmfOK2nOVvcytL6yVX9a1e1nv7A++2r5XBxm/XPY9f
u4vz//PfiTf+m0SGR5qdf3/sm7/YH/333y4u//Fh4++kvFtH57+518cwgYHhuf3F
s890P33f8+f3nVk9n+a8L8r1/if8fztDBJZwgEawQwx4FBUUIAyQQYO/0GTjwQiN
jAZUjQA=
=UJt1
-----END PGP MESSAGE-----
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 0.98.5+dfsg-0+deb7u3
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 07 Jan 2015 21:56:21 +0100
Source: clamav
Binary: clamav-base clamav-docs clamav-dbg clamav libclamav-dev libclamav6
clamav-daemon clamav-testfiles clamav-freshclam clamav-milter
Architecture: source all
Version: 0.98.5+dfsg-0+deb7u3
Distribution: stable
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Description:
clamav - anti-virus utility for Unix - command-line interface
clamav-base - anti-virus utility for Unix - base package
clamav-daemon - anti-virus utility for Unix - scanner daemon
clamav-dbg - debug symbols for ClamAV
clamav-docs - anti-virus utility for Unix - documentation
clamav-freshclam - anti-virus utility for Unix - virus database update utility
clamav-milter - anti-virus utility for Unix - sendmail integration
clamav-testfiles - anti-virus utility for Unix - test files
libclamav-dev - anti-virus utility for Unix - development files
libclamav6 - anti-virus utility for Unix - library
Closes: 774766 774767
Changes:
clamav (0.98.5+dfsg-0+deb7u3) stable; urgency=medium
.
* add "mspack-fix-division-by-zero-in-chm-format-handling" to fix divide
by zero in the chm unpacked. Found & patch by Jakub Wilk (Closes: #774766).
* add "mspack-fix-overflow-in-pointer-arithmetic-on-32bit" to avoid overflow
in pointer arithmetic causing a segfault on 32bit (Closes: #774767).
Checksums-Sha1:
4bdf99e7c8bb0340ff24c47544aa4d881b8e6e32 2906 clamav_0.98.5+dfsg-0+deb7u3.dsc
1131d5c41f60ebb5babb128d0b0d82cadf04b8c6 846419
clamav_0.98.5+dfsg-0+deb7u3.debian.tar.gz
df19152a09dc95e11df5e3f15b78cd6148670c3a 277496
clamav-base_0.98.5+dfsg-0+deb7u3_all.deb
b8160fde4996367a2c0e2e65405ca80603ffc428 929876
clamav-docs_0.98.5+dfsg-0+deb7u3_all.deb
7657eda2e12e14a9762552bbbd375259a3e01c95 5281818
clamav-testfiles_0.98.5+dfsg-0+deb7u3_all.deb
Checksums-Sha256:
23c3d34e431fd0a0aa6f303e2e1f37b0500a1942efa949201e3c8ff9d96e1b17 2906
clamav_0.98.5+dfsg-0+deb7u3.dsc
7d8099bf47d6a5ab5fcc04609fceee532d82e6c71f83749f9ba81ec3169c4f8a 846419
clamav_0.98.5+dfsg-0+deb7u3.debian.tar.gz
ee2fa95d147de5b59e4584e6c4882e01b4c360cd0780ff4ef0f38af362a64191 277496
clamav-base_0.98.5+dfsg-0+deb7u3_all.deb
a472fa72a42b06bea8017790d123f4cce0dff983cf1d25580251e3270c114ec6 929876
clamav-docs_0.98.5+dfsg-0+deb7u3_all.deb
66e66db26c117a8264e21728180696b9c84f76d42bd9911b189b5d5095f63bec 5281818
clamav-testfiles_0.98.5+dfsg-0+deb7u3_all.deb
Files:
50a105fb129c374869de1e7642ae4a74 2906 utils optional
clamav_0.98.5+dfsg-0+deb7u3.dsc
a88b6107ff0b690634a1f6aee7179da8 846419 utils optional
clamav_0.98.5+dfsg-0+deb7u3.debian.tar.gz
8dd9a85bb378358170f491fee933e148 277496 utils optional
clamav-base_0.98.5+dfsg-0+deb7u3_all.deb
2eb033ba0881ca8c3aecd0276c7caa4f 929876 doc optional
clamav-docs_0.98.5+dfsg-0+deb7u3_all.deb
fbb126bbe5f2da77fe1df00144328308 5281818 utils optional
clamav-testfiles_0.98.5+dfsg-0+deb7u3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUttaEAAoJEHuW6BYqjPXRaoAP/1Sggk08QI7MOEAMiAVFF1jK
A5qa28ZVGkjNiEo7HqAsI76hfq/1We7XMPe9ZFf9WpEFczs4dObeWcbAG/dyhWtq
PHp3G63aqp0E3mKGVj42HFUdbj34QtBqtFs7isHwp1fQbJERFcgCrlMiNYaep5R9
vbcJ0+Q6LcJpUnM1dArj0uKcv+lsnKRDVGykW6TrKObjoLAvfm4wa9BbIYXSirWI
mYL8OFiDGjRaZnpxBX44fb5qkQVNlPQ8PsNV4TjQWrnt5lj3/h1zzycvPMXjrIOk
tFOd/R46ayAx8zLBNohlPEd1vaIvbfS2BqEle6OYLtf/y8sV29A6DxdjVxDKaoNL
FiWAwErAXBj/3T4/V4haIu+eHV4qw+6gbwK8BP+/GGexPsoRkxI4l0X77szUTQWW
PBL80yKYfZxXKoMxRun2bbJ8OfgZAdMgRbdLYbFpKpJakjEIqzJEccKn9aQR/CQw
5GnyH9Tnepp+brX68JN+X5WlTvN2lsiBk7G7pZQ28V9oOxWVeNDumGAxcEqorVSF
FHmFFNLRtFCUPoVNWj+cs0sHZ6leVEYbjGMruIuki8vxvH4aLc3yNmUrUlRpT96P
QJZKn2cm2hFZKbTrpa5kIJ+IfG5hoxTFtYZpYP820Eiv4c3opKo9grFhoAZBYNHP
qu382hi17ivvu5+lHKJ9
=9LMJ
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
