Security fixes CVE-2017-6420 (#1483910), CVE-2017-6419 (#1483909),

CVE-2017-6418 (#1483908)
2018-01-11 03:18:45 +00:00 · 2018-01-11 03:18:45 +00:00 · 1d4f821e90
commit 1d4f821e90
parent e817c70f8e
4 changed files with 135 additions and 1 deletions
--- a/586a5180287262070637c8943f2f7efd652e4a2c.patch
+++ b/586a5180287262070637c8943f2f7efd652e4a2c.patch
@ -0,0 +1,37 @@
+From 586a5180287262070637c8943f2f7efd652e4a2c Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevmorg@cisco.com>
+Date: Thu, 2 Mar 2017 14:41:20 -0500
+Subject: [PATCH] bb11797 - fix invalid read in fuzzed mail file.
+
+---
+ libclamav/message.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libclamav/message.c b/libclamav/message.c
+index b5cf0ddc7..36bbf417d 100644
+--- a/libclamav/message.c
+++ b/libclamav/message.c
+@@ -445,8 +445,12 @@ messageAddArgument(message *m, const char *arg)
+ 			 * FIXME: Bounce message handling is corrupting the in
+ 			 * core copies of headers
+ 			 */
+-			cli_dbgmsg("Possible data corruption fixed\n");
+-			p[8] = '=';
+                        if (strlen(p) > 8) {
+                            cli_dbgmsg("Possible data corruption fixed\n");
+                            p[8] = '=';
+                        } else {
+                            cli_dbgmsg("Possible data corruption not fixed\n");
+                        }
+ 		} else {
+ 			if(*p)
+ 				cli_dbgmsg("messageAddArgument, '%s' contains no '='\n", p);
+@@ -682,7 +686,7 @@ messageFindArgument(const message *m, const char *variable)
+ 				cli_dbgmsg("messageFindArgument: no '=' sign found in MIME header '%s' (%s)\n", variable, messageGetArgument(m, i));
+ 				return NULL;
+ 			}
+-			if((*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
+			if((strlen(ptr) > 2) && (*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
+ 				/* Remove any quote characters */
+ 				char *ret = cli_strdup(++ptr);
+ 				char *p;
--- a/a83773682e856ad6529ba6db8d1792e6d515d7f1.patch
+++ b/a83773682e856ad6529ba6db8d1792e6d515d7f1.patch
@ -0,0 +1,58 @@
+From a83773682e856ad6529ba6db8d1792e6d515d7f1 Mon Sep 17 00:00:00 2001
+From: Mickey Sola <msola@sourcefire.com>
+Date: Wed, 29 Mar 2017 14:55:26 -0400
+Subject: [PATCH] fixing potential OOB window write when unpacking chm files
+
+---
+ libclamav/libmspack-0.5alpha/mspack/lzxd.c | 11 +++++++++--
+ libclamav/libmspack.c                      |  6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/libclamav/libmspack-0.5alpha/mspack/lzxd.c b/libclamav/libmspack-0.5alpha/mspack/lzxd.c
+index 2281e7b9d..45105a583 100644
+--- a/libclamav/libmspack-0.5alpha/mspack/lzxd.c
+++ b/libclamav/libmspack-0.5alpha/mspack/lzxd.c
+@@ -766,8 +766,13 @@ int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) {
+       case LZX_BLOCKTYPE_UNCOMPRESSED:
+ 	/* as this_run is limited not to wrap a frame, this also means it
+ 	 * won't wrap the window (as the window is a multiple of 32k) */
+        if (window_posn + this_run > lzx->window_size) {
+                D(("match ran over window boundary"))
+                return lzx->error = MSPACK_ERR_DECRUNCH;
+        }
+ 	rundest = &window[window_posn];
+ 	window_posn += this_run;
+
+ 	while (this_run > 0) {
+ 	  if ((i = i_end - i_ptr) == 0) {
+ 	    READ_IF_NEEDED;
+@@ -888,8 +893,10 @@ void lzxd_free(struct lzxd_stream *lzx) {
+   struct mspack_system *sys;
+   if (lzx) {
+     sys = lzx->sys;
+-    sys->free(lzx->inbuf);
+-    sys->free(lzx->window);
+    if(lzx->inbuf)
+        sys->free(lzx->inbuf);
+    if(lzx->window)
+        sys->free(lzx->window);
+     sys->free(lzx);
+   }
+ }
+diff --git a/libclamav/libmspack.c b/libclamav/libmspack.c
+index d9b05ec25..22bc1a11e 100644
+--- a/libclamav/libmspack.c
+++ b/libclamav/libmspack.c
+@@ -264,7 +264,11 @@ static void *mspack_fmap_alloc(struct mspack_system *self, size_t num)
+ 
+ static void mspack_fmap_free(void *mem)
+ {
+-	free(mem);
+    if(mem) {
+        free(mem);
+        mem = NULL;
+    }
+    return;
+ }
+ 
+ static void mspack_fmap_copy(void *src, void *dst, size_t num)
--- a/clamav.spec
+++ b/clamav.spec
@ -70,7 +70,7 @@ Requires(postun):    /bin/systemctl\
 Summary:    End-user tools for the Clam Antivirus scanner
 Name:       clamav
 Version:    0.99.2
-Release:    16%{?dist}
+Release:    17%{?dist}
 License:    %{?with_unrar:proprietary}%{!?with_unrar:GPLv2}
 Group:      Applications/File
 URL:        http://www.clamav.net
@ -127,6 +127,11 @@ Patch30:    llvm-glibc.patch
 Patch31:    clamav-0.99.1-setsebool.patch
 Patch32:    fa15aa98c7d5e1d8fc22e818ebd089f2e53ebe1d.diff
 Patch33:    clamav-0.99.2-temp-cleanup.patch
+Patch34:    dfc00cd3301a42b571454b51a6102eecf58407bc.patch
+Patch35:    a83773682e856ad6529ba6db8d1792e6d515d7f1.patch
+Patch36:    586a5180287262070637c8943f2f7efd652e4a2c.patch
+
+

 BuildRequires:  autoconf automake gettext-devel libtool libtool-ltdl-devel
 BuildRequires:  zlib-devel bzip2-devel gmp-devel curl-devel
@ -457,6 +462,9 @@ The systemd initscripts for clamav-scanner.
 %apply -n31 -p1 -b .setsebool
 %apply -n32 -p1 -b .openssl_1.1.0
 %apply -n33 -p1 -b .temp-cleanup
+%apply -n34 -p1 -b .CVE-2017-6420
+%apply -n35 -p1 -b .CVE-2017-6419
+%apply -n36 -p1 -b .CVE-2017-6418 
 %{?apply_end}

 install -p -m0644 %SOURCE300 clamav-milter/
@ -934,6 +942,10 @@ test "$1" != "0" || /sbin/initctl -q stop clamav-milter || :


 %changelog
+* Thu Jan 11 2018 Sérgio Basto <sergio@serjux.com> - 0.99.2-17
+- Security fixes CVE-2017-6420 (#1483910), CVE-2017-6419 (#1483909),
+  CVE-2017-6418 (#1483908)
+
 * Tue Jan 09 2018 Sérgio Basto <sergio@serjux.com> - 0.99.2-16
 - Make sure that Obsoletes sysv and upstart for Epel upgrade and update

--- a/dfc00cd3301a42b571454b51a6102eecf58407bc.patch
+++ b/dfc00cd3301a42b571454b51a6102eecf58407bc.patch
@ -0,0 +1,27 @@
+From dfc00cd3301a42b571454b51a6102eecf58407bc Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevmorg@cisco.com>
+Date: Fri, 3 Mar 2017 13:56:28 -0500
+Subject: [PATCH] bb19798 - fix out of bound memory access for crafted wwunpack
+ file.
+
+---
+ libclamav/wwunpack.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c
+index 8611cb604..38c18081c 100644
+--- a/libclamav/wwunpack.c
+++ b/libclamav/wwunpack.c
+@@ -226,6 +226,12 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti
+ 	return CL_EFORMAT;
+     exe[pe+6]=(uint8_t)scount;
+     exe[pe+7]=(uint8_t)(scount>>8);
+    if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) ||
+        !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) ||
+        !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) {
+        cli_dbgmsg("WWPack: unpack memory address out of bounds.\n");
+        return CL_EFORMAT;
+    }
+     cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299);
+     cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz);
+