CVE-2017-6418 (#1483908)
This commit is contained in:
parent
e817c70f8e
commit
1d4f821e90
37
586a5180287262070637c8943f2f7efd652e4a2c.patch
Normal file
37
586a5180287262070637c8943f2f7efd652e4a2c.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
From 586a5180287262070637c8943f2f7efd652e4a2c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Steven Morgan <stevmorg@cisco.com>
|
||||||
|
Date: Thu, 2 Mar 2017 14:41:20 -0500
|
||||||
|
Subject: [PATCH] bb11797 - fix invalid read in fuzzed mail file.
|
||||||
|
|
||||||
|
---
|
||||||
|
libclamav/message.c | 10 +++++++---
|
||||||
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libclamav/message.c b/libclamav/message.c
|
||||||
|
index b5cf0ddc7..36bbf417d 100644
|
||||||
|
--- a/libclamav/message.c
|
||||||
|
+++ b/libclamav/message.c
|
||||||
|
@@ -445,8 +445,12 @@ messageAddArgument(message *m, const char *arg)
|
||||||
|
* FIXME: Bounce message handling is corrupting the in
|
||||||
|
* core copies of headers
|
||||||
|
*/
|
||||||
|
- cli_dbgmsg("Possible data corruption fixed\n");
|
||||||
|
- p[8] = '=';
|
||||||
|
+ if (strlen(p) > 8) {
|
||||||
|
+ cli_dbgmsg("Possible data corruption fixed\n");
|
||||||
|
+ p[8] = '=';
|
||||||
|
+ } else {
|
||||||
|
+ cli_dbgmsg("Possible data corruption not fixed\n");
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
if(*p)
|
||||||
|
cli_dbgmsg("messageAddArgument, '%s' contains no '='\n", p);
|
||||||
|
@@ -682,7 +686,7 @@ messageFindArgument(const message *m, const char *variable)
|
||||||
|
cli_dbgmsg("messageFindArgument: no '=' sign found in MIME header '%s' (%s)\n", variable, messageGetArgument(m, i));
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
- if((*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
|
||||||
|
+ if((strlen(ptr) > 2) && (*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
|
||||||
|
/* Remove any quote characters */
|
||||||
|
char *ret = cli_strdup(++ptr);
|
||||||
|
char *p;
|
58
a83773682e856ad6529ba6db8d1792e6d515d7f1.patch
Normal file
58
a83773682e856ad6529ba6db8d1792e6d515d7f1.patch
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
From a83773682e856ad6529ba6db8d1792e6d515d7f1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mickey Sola <msola@sourcefire.com>
|
||||||
|
Date: Wed, 29 Mar 2017 14:55:26 -0400
|
||||||
|
Subject: [PATCH] fixing potential OOB window write when unpacking chm files
|
||||||
|
|
||||||
|
---
|
||||||
|
libclamav/libmspack-0.5alpha/mspack/lzxd.c | 11 +++++++++--
|
||||||
|
libclamav/libmspack.c | 6 +++++-
|
||||||
|
2 files changed, 14 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libclamav/libmspack-0.5alpha/mspack/lzxd.c b/libclamav/libmspack-0.5alpha/mspack/lzxd.c
|
||||||
|
index 2281e7b9d..45105a583 100644
|
||||||
|
--- a/libclamav/libmspack-0.5alpha/mspack/lzxd.c
|
||||||
|
+++ b/libclamav/libmspack-0.5alpha/mspack/lzxd.c
|
||||||
|
@@ -766,8 +766,13 @@ int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) {
|
||||||
|
case LZX_BLOCKTYPE_UNCOMPRESSED:
|
||||||
|
/* as this_run is limited not to wrap a frame, this also means it
|
||||||
|
* won't wrap the window (as the window is a multiple of 32k) */
|
||||||
|
+ if (window_posn + this_run > lzx->window_size) {
|
||||||
|
+ D(("match ran over window boundary"))
|
||||||
|
+ return lzx->error = MSPACK_ERR_DECRUNCH;
|
||||||
|
+ }
|
||||||
|
rundest = &window[window_posn];
|
||||||
|
window_posn += this_run;
|
||||||
|
+
|
||||||
|
while (this_run > 0) {
|
||||||
|
if ((i = i_end - i_ptr) == 0) {
|
||||||
|
READ_IF_NEEDED;
|
||||||
|
@@ -888,8 +893,10 @@ void lzxd_free(struct lzxd_stream *lzx) {
|
||||||
|
struct mspack_system *sys;
|
||||||
|
if (lzx) {
|
||||||
|
sys = lzx->sys;
|
||||||
|
- sys->free(lzx->inbuf);
|
||||||
|
- sys->free(lzx->window);
|
||||||
|
+ if(lzx->inbuf)
|
||||||
|
+ sys->free(lzx->inbuf);
|
||||||
|
+ if(lzx->window)
|
||||||
|
+ sys->free(lzx->window);
|
||||||
|
sys->free(lzx);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/libclamav/libmspack.c b/libclamav/libmspack.c
|
||||||
|
index d9b05ec25..22bc1a11e 100644
|
||||||
|
--- a/libclamav/libmspack.c
|
||||||
|
+++ b/libclamav/libmspack.c
|
||||||
|
@@ -264,7 +264,11 @@ static void *mspack_fmap_alloc(struct mspack_system *self, size_t num)
|
||||||
|
|
||||||
|
static void mspack_fmap_free(void *mem)
|
||||||
|
{
|
||||||
|
- free(mem);
|
||||||
|
+ if(mem) {
|
||||||
|
+ free(mem);
|
||||||
|
+ mem = NULL;
|
||||||
|
+ }
|
||||||
|
+ return;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void mspack_fmap_copy(void *src, void *dst, size_t num)
|
14
clamav.spec
14
clamav.spec
@ -70,7 +70,7 @@ Requires(postun): /bin/systemctl\
|
|||||||
Summary: End-user tools for the Clam Antivirus scanner
|
Summary: End-user tools for the Clam Antivirus scanner
|
||||||
Name: clamav
|
Name: clamav
|
||||||
Version: 0.99.2
|
Version: 0.99.2
|
||||||
Release: 16%{?dist}
|
Release: 17%{?dist}
|
||||||
License: %{?with_unrar:proprietary}%{!?with_unrar:GPLv2}
|
License: %{?with_unrar:proprietary}%{!?with_unrar:GPLv2}
|
||||||
Group: Applications/File
|
Group: Applications/File
|
||||||
URL: http://www.clamav.net
|
URL: http://www.clamav.net
|
||||||
@ -127,6 +127,11 @@ Patch30: llvm-glibc.patch
|
|||||||
Patch31: clamav-0.99.1-setsebool.patch
|
Patch31: clamav-0.99.1-setsebool.patch
|
||||||
Patch32: fa15aa98c7d5e1d8fc22e818ebd089f2e53ebe1d.diff
|
Patch32: fa15aa98c7d5e1d8fc22e818ebd089f2e53ebe1d.diff
|
||||||
Patch33: clamav-0.99.2-temp-cleanup.patch
|
Patch33: clamav-0.99.2-temp-cleanup.patch
|
||||||
|
Patch34: dfc00cd3301a42b571454b51a6102eecf58407bc.patch
|
||||||
|
Patch35: a83773682e856ad6529ba6db8d1792e6d515d7f1.patch
|
||||||
|
Patch36: 586a5180287262070637c8943f2f7efd652e4a2c.patch
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
BuildRequires: autoconf automake gettext-devel libtool libtool-ltdl-devel
|
BuildRequires: autoconf automake gettext-devel libtool libtool-ltdl-devel
|
||||||
BuildRequires: zlib-devel bzip2-devel gmp-devel curl-devel
|
BuildRequires: zlib-devel bzip2-devel gmp-devel curl-devel
|
||||||
@ -457,6 +462,9 @@ The systemd initscripts for clamav-scanner.
|
|||||||
%apply -n31 -p1 -b .setsebool
|
%apply -n31 -p1 -b .setsebool
|
||||||
%apply -n32 -p1 -b .openssl_1.1.0
|
%apply -n32 -p1 -b .openssl_1.1.0
|
||||||
%apply -n33 -p1 -b .temp-cleanup
|
%apply -n33 -p1 -b .temp-cleanup
|
||||||
|
%apply -n34 -p1 -b .CVE-2017-6420
|
||||||
|
%apply -n35 -p1 -b .CVE-2017-6419
|
||||||
|
%apply -n36 -p1 -b .CVE-2017-6418
|
||||||
%{?apply_end}
|
%{?apply_end}
|
||||||
|
|
||||||
install -p -m0644 %SOURCE300 clamav-milter/
|
install -p -m0644 %SOURCE300 clamav-milter/
|
||||||
@ -934,6 +942,10 @@ test "$1" != "0" || /sbin/initctl -q stop clamav-milter || :
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jan 11 2018 Sérgio Basto <sergio@serjux.com> - 0.99.2-17
|
||||||
|
- Security fixes CVE-2017-6420 (#1483910), CVE-2017-6419 (#1483909),
|
||||||
|
CVE-2017-6418 (#1483908)
|
||||||
|
|
||||||
* Tue Jan 09 2018 Sérgio Basto <sergio@serjux.com> - 0.99.2-16
|
* Tue Jan 09 2018 Sérgio Basto <sergio@serjux.com> - 0.99.2-16
|
||||||
- Make sure that Obsoletes sysv and upstart for Epel upgrade and update
|
- Make sure that Obsoletes sysv and upstart for Epel upgrade and update
|
||||||
|
|
||||||
|
27
dfc00cd3301a42b571454b51a6102eecf58407bc.patch
Normal file
27
dfc00cd3301a42b571454b51a6102eecf58407bc.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From dfc00cd3301a42b571454b51a6102eecf58407bc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Steven Morgan <stevmorg@cisco.com>
|
||||||
|
Date: Fri, 3 Mar 2017 13:56:28 -0500
|
||||||
|
Subject: [PATCH] bb19798 - fix out of bound memory access for crafted wwunpack
|
||||||
|
file.
|
||||||
|
|
||||||
|
---
|
||||||
|
libclamav/wwunpack.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c
|
||||||
|
index 8611cb604..38c18081c 100644
|
||||||
|
--- a/libclamav/wwunpack.c
|
||||||
|
+++ b/libclamav/wwunpack.c
|
||||||
|
@@ -226,6 +226,12 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti
|
||||||
|
return CL_EFORMAT;
|
||||||
|
exe[pe+6]=(uint8_t)scount;
|
||||||
|
exe[pe+7]=(uint8_t)(scount>>8);
|
||||||
|
+ if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) ||
|
||||||
|
+ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) ||
|
||||||
|
+ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) {
|
||||||
|
+ cli_dbgmsg("WWPack: unpack memory address out of bounds.\n");
|
||||||
|
+ return CL_EFORMAT;
|
||||||
|
+ }
|
||||||
|
cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299);
|
||||||
|
cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user