From 1d4f821e9094a183bdb4cc47d392c91b157abad5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= Date: Thu, 11 Jan 2018 03:18:45 +0000 Subject: [PATCH] Security fixes CVE-2017-6420 (#1483910), CVE-2017-6419 (#1483909), CVE-2017-6418 (#1483908) --- ...5180287262070637c8943f2f7efd652e4a2c.patch | 37 ++++++++++++ ...73682e856ad6529ba6db8d1792e6d515d7f1.patch | 58 +++++++++++++++++++ clamav.spec | 14 ++++- ...0cd3301a42b571454b51a6102eecf58407bc.patch | 27 +++++++++ 4 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 586a5180287262070637c8943f2f7efd652e4a2c.patch create mode 100644 a83773682e856ad6529ba6db8d1792e6d515d7f1.patch create mode 100644 dfc00cd3301a42b571454b51a6102eecf58407bc.patch diff --git a/586a5180287262070637c8943f2f7efd652e4a2c.patch b/586a5180287262070637c8943f2f7efd652e4a2c.patch new file mode 100644 index 0000000..e8ed4de --- /dev/null +++ b/586a5180287262070637c8943f2f7efd652e4a2c.patch @@ -0,0 +1,37 @@ +From 586a5180287262070637c8943f2f7efd652e4a2c Mon Sep 17 00:00:00 2001 +From: Steven Morgan +Date: Thu, 2 Mar 2017 14:41:20 -0500 +Subject: [PATCH] bb11797 - fix invalid read in fuzzed mail file. + +--- + libclamav/message.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/libclamav/message.c b/libclamav/message.c +index b5cf0ddc7..36bbf417d 100644 +--- a/libclamav/message.c ++++ b/libclamav/message.c +@@ -445,8 +445,12 @@ messageAddArgument(message *m, const char *arg) + * FIXME: Bounce message handling is corrupting the in + * core copies of headers + */ +- cli_dbgmsg("Possible data corruption fixed\n"); +- p[8] = '='; ++ if (strlen(p) > 8) { ++ cli_dbgmsg("Possible data corruption fixed\n"); ++ p[8] = '='; ++ } else { ++ cli_dbgmsg("Possible data corruption not fixed\n"); ++ } + } else { + if(*p) + cli_dbgmsg("messageAddArgument, '%s' contains no '='\n", p); +@@ -682,7 +686,7 @@ messageFindArgument(const message *m, const char *variable) + cli_dbgmsg("messageFindArgument: no '=' sign found in MIME header '%s' (%s)\n", variable, messageGetArgument(m, i)); + return NULL; + } +- if((*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) { ++ if((strlen(ptr) > 2) && (*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) { + /* Remove any quote characters */ + char *ret = cli_strdup(++ptr); + char *p; diff --git a/a83773682e856ad6529ba6db8d1792e6d515d7f1.patch b/a83773682e856ad6529ba6db8d1792e6d515d7f1.patch new file mode 100644 index 0000000..b58ed23 --- /dev/null +++ b/a83773682e856ad6529ba6db8d1792e6d515d7f1.patch @@ -0,0 +1,58 @@ +From a83773682e856ad6529ba6db8d1792e6d515d7f1 Mon Sep 17 00:00:00 2001 +From: Mickey Sola +Date: Wed, 29 Mar 2017 14:55:26 -0400 +Subject: [PATCH] fixing potential OOB window write when unpacking chm files + +--- + libclamav/libmspack-0.5alpha/mspack/lzxd.c | 11 +++++++++-- + libclamav/libmspack.c | 6 +++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/libclamav/libmspack-0.5alpha/mspack/lzxd.c b/libclamav/libmspack-0.5alpha/mspack/lzxd.c +index 2281e7b9d..45105a583 100644 +--- a/libclamav/libmspack-0.5alpha/mspack/lzxd.c ++++ b/libclamav/libmspack-0.5alpha/mspack/lzxd.c +@@ -766,8 +766,13 @@ int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) { + case LZX_BLOCKTYPE_UNCOMPRESSED: + /* as this_run is limited not to wrap a frame, this also means it + * won't wrap the window (as the window is a multiple of 32k) */ ++ if (window_posn + this_run > lzx->window_size) { ++ D(("match ran over window boundary")) ++ return lzx->error = MSPACK_ERR_DECRUNCH; ++ } + rundest = &window[window_posn]; + window_posn += this_run; ++ + while (this_run > 0) { + if ((i = i_end - i_ptr) == 0) { + READ_IF_NEEDED; +@@ -888,8 +893,10 @@ void lzxd_free(struct lzxd_stream *lzx) { + struct mspack_system *sys; + if (lzx) { + sys = lzx->sys; +- sys->free(lzx->inbuf); +- sys->free(lzx->window); ++ if(lzx->inbuf) ++ sys->free(lzx->inbuf); ++ if(lzx->window) ++ sys->free(lzx->window); + sys->free(lzx); + } + } +diff --git a/libclamav/libmspack.c b/libclamav/libmspack.c +index d9b05ec25..22bc1a11e 100644 +--- a/libclamav/libmspack.c ++++ b/libclamav/libmspack.c +@@ -264,7 +264,11 @@ static void *mspack_fmap_alloc(struct mspack_system *self, size_t num) + + static void mspack_fmap_free(void *mem) + { +- free(mem); ++ if(mem) { ++ free(mem); ++ mem = NULL; ++ } ++ return; + } + + static void mspack_fmap_copy(void *src, void *dst, size_t num) diff --git a/clamav.spec b/clamav.spec index 2696454..4af31f7 100644 --- a/clamav.spec +++ b/clamav.spec @@ -70,7 +70,7 @@ Requires(postun): /bin/systemctl\ Summary: End-user tools for the Clam Antivirus scanner Name: clamav Version: 0.99.2 -Release: 16%{?dist} +Release: 17%{?dist} License: %{?with_unrar:proprietary}%{!?with_unrar:GPLv2} Group: Applications/File URL: http://www.clamav.net @@ -127,6 +127,11 @@ Patch30: llvm-glibc.patch Patch31: clamav-0.99.1-setsebool.patch Patch32: fa15aa98c7d5e1d8fc22e818ebd089f2e53ebe1d.diff Patch33: clamav-0.99.2-temp-cleanup.patch +Patch34: dfc00cd3301a42b571454b51a6102eecf58407bc.patch +Patch35: a83773682e856ad6529ba6db8d1792e6d515d7f1.patch +Patch36: 586a5180287262070637c8943f2f7efd652e4a2c.patch + + BuildRequires: autoconf automake gettext-devel libtool libtool-ltdl-devel BuildRequires: zlib-devel bzip2-devel gmp-devel curl-devel @@ -457,6 +462,9 @@ The systemd initscripts for clamav-scanner. %apply -n31 -p1 -b .setsebool %apply -n32 -p1 -b .openssl_1.1.0 %apply -n33 -p1 -b .temp-cleanup +%apply -n34 -p1 -b .CVE-2017-6420 +%apply -n35 -p1 -b .CVE-2017-6419 +%apply -n36 -p1 -b .CVE-2017-6418 %{?apply_end} install -p -m0644 %SOURCE300 clamav-milter/ @@ -934,6 +942,10 @@ test "$1" != "0" || /sbin/initctl -q stop clamav-milter || : %changelog +* Thu Jan 11 2018 Sérgio Basto - 0.99.2-17 +- Security fixes CVE-2017-6420 (#1483910), CVE-2017-6419 (#1483909), + CVE-2017-6418 (#1483908) + * Tue Jan 09 2018 Sérgio Basto - 0.99.2-16 - Make sure that Obsoletes sysv and upstart for Epel upgrade and update diff --git a/dfc00cd3301a42b571454b51a6102eecf58407bc.patch b/dfc00cd3301a42b571454b51a6102eecf58407bc.patch new file mode 100644 index 0000000..47109dd --- /dev/null +++ b/dfc00cd3301a42b571454b51a6102eecf58407bc.patch @@ -0,0 +1,27 @@ +From dfc00cd3301a42b571454b51a6102eecf58407bc Mon Sep 17 00:00:00 2001 +From: Steven Morgan +Date: Fri, 3 Mar 2017 13:56:28 -0500 +Subject: [PATCH] bb19798 - fix out of bound memory access for crafted wwunpack + file. + +--- + libclamav/wwunpack.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c +index 8611cb604..38c18081c 100644 +--- a/libclamav/wwunpack.c ++++ b/libclamav/wwunpack.c +@@ -226,6 +226,12 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti + return CL_EFORMAT; + exe[pe+6]=(uint8_t)scount; + exe[pe+7]=(uint8_t)(scount>>8); ++ if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) || ++ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) || ++ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) { ++ cli_dbgmsg("WWPack: unpack memory address out of bounds.\n"); ++ return CL_EFORMAT; ++ } + cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299); + cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz); +