Security fixes CVE-2017-6420 (#1483910), CVE-2017-6419 (#1483909),

CVE-2017-6418 (#1483908)
This commit is contained in:
Sérgio M. Basto 2018-01-11 03:18:45 +00:00
parent e817c70f8e
commit 1d4f821e90
4 changed files with 135 additions and 1 deletions

View File

@ -0,0 +1,37 @@
From 586a5180287262070637c8943f2f7efd652e4a2c Mon Sep 17 00:00:00 2001
From: Steven Morgan <stevmorg@cisco.com>
Date: Thu, 2 Mar 2017 14:41:20 -0500
Subject: [PATCH] bb11797 - fix invalid read in fuzzed mail file.
---
libclamav/message.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/libclamav/message.c b/libclamav/message.c
index b5cf0ddc7..36bbf417d 100644
--- a/libclamav/message.c
+++ b/libclamav/message.c
@@ -445,8 +445,12 @@ messageAddArgument(message *m, const char *arg)
* FIXME: Bounce message handling is corrupting the in
* core copies of headers
*/
- cli_dbgmsg("Possible data corruption fixed\n");
- p[8] = '=';
+ if (strlen(p) > 8) {
+ cli_dbgmsg("Possible data corruption fixed\n");
+ p[8] = '=';
+ } else {
+ cli_dbgmsg("Possible data corruption not fixed\n");
+ }
} else {
if(*p)
cli_dbgmsg("messageAddArgument, '%s' contains no '='\n", p);
@@ -682,7 +686,7 @@ messageFindArgument(const message *m, const char *variable)
cli_dbgmsg("messageFindArgument: no '=' sign found in MIME header '%s' (%s)\n", variable, messageGetArgument(m, i));
return NULL;
}
- if((*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
+ if((strlen(ptr) > 2) && (*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
/* Remove any quote characters */
char *ret = cli_strdup(++ptr);
char *p;

View File

@ -0,0 +1,58 @@
From a83773682e856ad6529ba6db8d1792e6d515d7f1 Mon Sep 17 00:00:00 2001
From: Mickey Sola <msola@sourcefire.com>
Date: Wed, 29 Mar 2017 14:55:26 -0400
Subject: [PATCH] fixing potential OOB window write when unpacking chm files
---
libclamav/libmspack-0.5alpha/mspack/lzxd.c | 11 +++++++++--
libclamav/libmspack.c | 6 +++++-
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libclamav/libmspack-0.5alpha/mspack/lzxd.c b/libclamav/libmspack-0.5alpha/mspack/lzxd.c
index 2281e7b9d..45105a583 100644
--- a/libclamav/libmspack-0.5alpha/mspack/lzxd.c
+++ b/libclamav/libmspack-0.5alpha/mspack/lzxd.c
@@ -766,8 +766,13 @@ int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) {
case LZX_BLOCKTYPE_UNCOMPRESSED:
/* as this_run is limited not to wrap a frame, this also means it
* won't wrap the window (as the window is a multiple of 32k) */
+ if (window_posn + this_run > lzx->window_size) {
+ D(("match ran over window boundary"))
+ return lzx->error = MSPACK_ERR_DECRUNCH;
+ }
rundest = &window[window_posn];
window_posn += this_run;
+
while (this_run > 0) {
if ((i = i_end - i_ptr) == 0) {
READ_IF_NEEDED;
@@ -888,8 +893,10 @@ void lzxd_free(struct lzxd_stream *lzx) {
struct mspack_system *sys;
if (lzx) {
sys = lzx->sys;
- sys->free(lzx->inbuf);
- sys->free(lzx->window);
+ if(lzx->inbuf)
+ sys->free(lzx->inbuf);
+ if(lzx->window)
+ sys->free(lzx->window);
sys->free(lzx);
}
}
diff --git a/libclamav/libmspack.c b/libclamav/libmspack.c
index d9b05ec25..22bc1a11e 100644
--- a/libclamav/libmspack.c
+++ b/libclamav/libmspack.c
@@ -264,7 +264,11 @@ static void *mspack_fmap_alloc(struct mspack_system *self, size_t num)
static void mspack_fmap_free(void *mem)
{
- free(mem);
+ if(mem) {
+ free(mem);
+ mem = NULL;
+ }
+ return;
}
static void mspack_fmap_copy(void *src, void *dst, size_t num)

View File

@ -70,7 +70,7 @@ Requires(postun): /bin/systemctl\
Summary: End-user tools for the Clam Antivirus scanner Summary: End-user tools for the Clam Antivirus scanner
Name: clamav Name: clamav
Version: 0.99.2 Version: 0.99.2
Release: 16%{?dist} Release: 17%{?dist}
License: %{?with_unrar:proprietary}%{!?with_unrar:GPLv2} License: %{?with_unrar:proprietary}%{!?with_unrar:GPLv2}
Group: Applications/File Group: Applications/File
URL: http://www.clamav.net URL: http://www.clamav.net
@ -127,6 +127,11 @@ Patch30: llvm-glibc.patch
Patch31: clamav-0.99.1-setsebool.patch Patch31: clamav-0.99.1-setsebool.patch
Patch32: fa15aa98c7d5e1d8fc22e818ebd089f2e53ebe1d.diff Patch32: fa15aa98c7d5e1d8fc22e818ebd089f2e53ebe1d.diff
Patch33: clamav-0.99.2-temp-cleanup.patch Patch33: clamav-0.99.2-temp-cleanup.patch
Patch34: dfc00cd3301a42b571454b51a6102eecf58407bc.patch
Patch35: a83773682e856ad6529ba6db8d1792e6d515d7f1.patch
Patch36: 586a5180287262070637c8943f2f7efd652e4a2c.patch
BuildRequires: autoconf automake gettext-devel libtool libtool-ltdl-devel BuildRequires: autoconf automake gettext-devel libtool libtool-ltdl-devel
BuildRequires: zlib-devel bzip2-devel gmp-devel curl-devel BuildRequires: zlib-devel bzip2-devel gmp-devel curl-devel
@ -457,6 +462,9 @@ The systemd initscripts for clamav-scanner.
%apply -n31 -p1 -b .setsebool %apply -n31 -p1 -b .setsebool
%apply -n32 -p1 -b .openssl_1.1.0 %apply -n32 -p1 -b .openssl_1.1.0
%apply -n33 -p1 -b .temp-cleanup %apply -n33 -p1 -b .temp-cleanup
%apply -n34 -p1 -b .CVE-2017-6420
%apply -n35 -p1 -b .CVE-2017-6419
%apply -n36 -p1 -b .CVE-2017-6418
%{?apply_end} %{?apply_end}
install -p -m0644 %SOURCE300 clamav-milter/ install -p -m0644 %SOURCE300 clamav-milter/
@ -934,6 +942,10 @@ test "$1" != "0" || /sbin/initctl -q stop clamav-milter || :
%changelog %changelog
* Thu Jan 11 2018 Sérgio Basto <sergio@serjux.com> - 0.99.2-17
- Security fixes CVE-2017-6420 (#1483910), CVE-2017-6419 (#1483909),
CVE-2017-6418 (#1483908)
* Tue Jan 09 2018 Sérgio Basto <sergio@serjux.com> - 0.99.2-16 * Tue Jan 09 2018 Sérgio Basto <sergio@serjux.com> - 0.99.2-16
- Make sure that Obsoletes sysv and upstart for Epel upgrade and update - Make sure that Obsoletes sysv and upstart for Epel upgrade and update

View File

@ -0,0 +1,27 @@
From dfc00cd3301a42b571454b51a6102eecf58407bc Mon Sep 17 00:00:00 2001
From: Steven Morgan <stevmorg@cisco.com>
Date: Fri, 3 Mar 2017 13:56:28 -0500
Subject: [PATCH] bb19798 - fix out of bound memory access for crafted wwunpack
file.
---
libclamav/wwunpack.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c
index 8611cb604..38c18081c 100644
--- a/libclamav/wwunpack.c
+++ b/libclamav/wwunpack.c
@@ -226,6 +226,12 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti
return CL_EFORMAT;
exe[pe+6]=(uint8_t)scount;
exe[pe+7]=(uint8_t)(scount>>8);
+ if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) ||
+ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) ||
+ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) {
+ cli_dbgmsg("WWPack: unpack memory address out of bounds.\n");
+ return CL_EFORMAT;
+ }
cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299);
cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz);