Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
Dear release team:
I'd like to update the clamav package in Wheezy with the following change:
| * add mspack-fix-division-by-zero-in-chm-format-handling to fix divide
| by zero in the chm unpacked. Found patch by Jakub Wilk (Closes:
#774766).
| * add mspack-fix-overflow-in-pointer-arithmetic-on-32bit to avoid overflow
| in pointer arithmetic causing a segfault on 32bit (Closes: #774767).
There are two equivalent bugs open against libmspack which is Jessie+
only.
Attaching a slightly edited .debdiff (the pointless index changes have
been removed).
Sebastian
diff -Nru clamav-0.98.5+dfsg/debian/changelog
clamav-0.98.5+dfsg/debian/changelog
--- clamav-0.98.5+dfsg/debian/changelog 2015-01-04 00:41:33.0 +0100
+++ clamav-0.98.5+dfsg/debian/changelog 2015-01-07 21:59:47.0 +0100
@@ -1,3 +1,12 @@
+clamav (0.98.5+dfsg-0+deb7u3) stable; urgency=medium
+
+ * add mspack-fix-division-by-zero-in-chm-format-handling to fix divide
+by zero in the chm unpacked. Found patch by Jakub Wilk (Closes: #774766).
+ * add mspack-fix-overflow-in-pointer-arithmetic-on-32bit to avoid overflow
+in pointer arithmetic causing a segfault on 32bit (Closes: #774767).
+
+ -- Sebastian Andrzej Siewior sebast...@breakpoint.cc Wed, 07 Jan 2015
21:56:21 +0100
+
clamav (0.98.5+dfsg-0+deb7u2) stable; urgency=medium
* Add libmspack-qtmd-fix-frame_end-overflow to avoid endless-loop on
diff -Nru clamav-0.98.5+dfsg/debian/.git-dpm clamav-0.98.5+dfsg/debian/.git-dpm
--- clamav-0.98.5+dfsg/debian/.git-dpm 2015-01-04 00:41:33.0 +0100
+++ clamav-0.98.5+dfsg/debian/.git-dpm 2015-01-07 21:59:47.0 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-a0449d2079c4ba5822e6567ad7094c10108f16cd
-a0449d2079c4ba5822e6567ad7094c10108f16cd
+1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830
+1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830
14c3d5ca803fd6baa5ab413e87ca6d6bb2e26a3d
14c3d5ca803fd6baa5ab413e87ca6d6bb2e26a3d
clamav_0.98.5+dfsg.orig.tar.xz
diff -Nru
clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
---
clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
1970-01-01 01:00:00.0 +0100
+++
clamav-0.98.5+dfsg/debian/patches/0019-mspack-fix-division-by-zero-in-chm-format-handling.patch
2015-01-07 21:59:48.0 +0100
@@ -0,0 +1,30 @@
+From c673c5b4aabdd1d71fe9cc2df67f394e6038404d Mon Sep 17 00:00:00 2001
+From: Jakub Wilk jw...@debian.org
+Date: Wed, 7 Jan 2015 14:05:38 +0100
+Subject: mspack: fix division by zero in chm format handling
+
+Fix division by 0 error found by special crated .chm by AFL.
+
+BTS:
+ https://bugs.debian.org/774725
+ https://bugs.debian.org/774766
+
+[bigeasy: patch description]
+Signed-off-by: Sebastian Andrzej Siewior sebast...@breakpoint.cc
+---
+ libclamav/libmspack-0.4alpha/mspack/chmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libclamav/libmspack-0.4alpha/mspack/chmd.c
b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+index 19dc47b..005c930 100644
+--- a/libclamav/libmspack-0.4alpha/mspack/chmd.c
b/libclamav/libmspack-0.4alpha/mspack/chmd.c
+@@ -1123,7 +1123,7 @@ static int chmd_init_decomp(struct mschm_decompressor_p
*self,
+ }
+
+ /* validate reset_interval */
+- if (reset_interval % LZX_FRAME_SIZE) {
++ if (reset_interval % LZX_FRAME_SIZE || !reset_interval) {
+ D((bad controldata reset interval))
+ return self-error = MSPACK_ERR_DATAFORMAT;
+ }
diff -Nru
clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
---
clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
1970-01-01 01:00:00.0 +0100
+++
clamav-0.98.5+dfsg/debian/patches/0020-mspack-fix-overflow-in-pointer-arithmetic-on-32bit.patch
2015-01-07 21:59:48.0 +0100
@@ -0,0 +1,63 @@
+From 1a5b9b3aba6e15f6c7371aa23adbc0600a0cf830 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior sebast...@breakpoint.cc
+Date: Wed, 7 Jan 2015 21:31:36 +0100
+Subject: mspack: fix overflow in pointer arithmetic on 32bit
+
+There are two checks to ensure that the encoded length of the file name does
not
+exceed the length of the memory where it is stored. That check is written as
+ p + name_len end
+
+in general it works. On 32bit architectures it is possible that a large
name_len
+overflows and p + name_len is less than p and therefore also less than end and
+the check does not catch it.
+Jakub rewrote the check as
+ name_len end - p
+
+so name_len is compared against the remaining space in the memory chunk.
+