Version in base suite: 0.90.1dfsg-4etch16 Version in overlay suite: (not present) Base version: clamav_0.90.1dfsg-4etch16 Target version: clamav_0.90.1dfsg-4etch19 Base file: /org/ftp.debian.org/ftp/pool/main/c/clamav/clamav_0.90.1dfsg-4etch16.dsc Target file: /org/ftp.debian.org/queue/o-p-u-new/clamav_0.90.1dfsg-4etch19.dsc clamav-0.90.1dfsg/debian/changelog | 15 +++++ clamav-0.90.1dfsg/debian/patches/00list | 3 + clamav-0.90.1dfsg/debian/patches/46.fd-leak.CVE-2008-3914.dpatch | 10 ++- debian/patches/50.pe.c.CVE-2008-6680.dpatch | 20 +++++++ debian/patches/51.untar.c.CVE-2009-1270.dpatch | 22 +++++++ debian/patches/52.others.h.CVE-XXXX-XXXX.dpatch | 28 ++++++++++ 6 files changed, 95 insertions(+), 3 deletions(-) diff -u clamav-0.90.1dfsg/debian/patches/46.fd-leak.CVE-2008-3914.dpatch clamav-0.90.1dfsg/debian/patches/46.fd-leak.CVE-2008-3914.dpatch --- clamav-0.90.1dfsg/debian/patches/46.fd-leak.CVE-2008-3914.dpatch +++ clamav-0.90.1dfsg/debian/patches/46.fd-leak.CVE-2008-3914.dpatch @@ -52,18 +52,22 @@ fclose(stream_in); return FALSE; diff --git a/libclamav/others.c b/libclamav/others.c -index 1ee20de..e9d9a86 100644 +index 1ee20de..9a08b7c 100644 --- a/libclamav/others.c +++ b/libclamav/others.c -@@ -812,6 +812,8 @@ int cli_filecopy(const char *src, const char *dest) +@@ -811,8 +811,11 @@ int cli_filecopy(const char *src, const char *dest) + return -1; } - if(!(buffer = cli_malloc(FILEBUFF))) +- if(!(buffer = cli_malloc(FILEBUFF))) ++ if(!(buffer = cli_malloc(FILEBUFF))) { + close(s); + close(d); return -1; ++ } while((bytes = cli_readn(s, buffer, FILEBUFF)) > 0) + cli_writen(d, buffer, bytes); diff --git a/libclamav/sis.c b/libclamav/sis.c index 2849265..8fd7192 100644 --- a/libclamav/sis.c diff -u clamav-0.90.1dfsg/debian/patches/00list clamav-0.90.1dfsg/debian/patches/00list --- clamav-0.90.1dfsg/debian/patches/00list +++ clamav-0.90.1dfsg/debian/patches/00list @@ -27,0 +28,3 @@ +50.pe.c.CVE-2008-6680.dpatch +51.untar.c.CVE-2009-1270.dpatch +52.others.h.CVE-XXXX-XXXX.dpatch diff -u clamav-0.90.1dfsg/debian/changelog clamav-0.90.1dfsg/debian/changelog --- clamav-0.90.1dfsg/debian/changelog +++ clamav-0.90.1dfsg/debian/changelog @@ -1,3 +1,18 @@ +clamav (0.90.1dfsg-4etch19) oldstable-security; urgency=low + + * [CVE-2008-6680] Fixed division by zero with --detect-broken. + * [CVE-2009-1270] clamd and clamscan get hung up. + * Backported hardening of CLI_ISCONTAINED macros (fixes UPack crash with + malformed file, #1552) + + -- Stephen Gran Tue, 14 Apr 2009 16:52:54 +0200 + +clamav (0.90.1dfsg-4etch17) stable-security; urgency=low + + * Corrected error in previous patch for CVE-2008-3914 (thanks Leonel Nunez) + + -- Stephen Gran Wed, 03 Dec 2008 13:26:21 -0800 + clamav (0.90.1dfsg-4etch16) stable-security; urgency=high * [CVE-2008-5050]: libclamav/vba_extract.c: possible buffer overflow only in patch2: unchanged: --- clamav-0.90.1dfsg.orig/debian/patches/51.untar.c.CVE-2009-1270.dpatch +++ clamav-0.90.1dfsg/debian/patches/51.untar.c.CVE-2009-1270.dpatch @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 51.untar.c.CVE-2009-1270.dpatch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: clamd and clamscan hang up fix + +@DPATCH@ +diff --git a/libclamav/untar.c b/libclamav/untar.c +index 6d0257c..a4225b8 100644 +--- a/libclamav/untar.c ++++ b/libclamav/untar.c +@@ -182,6 +182,10 @@ cli_untar(const char *dir, int desc, unsigned int posix, const struct cl_limits + if(skipEntry) { + const int nskip = (size % BLOCKSIZE || !size) ? size + BLOCKSIZE - (size % BLOCKSIZE) : size; + ++ if(nskip < 0) { ++ cli_dbgmsg("cli_untar: got nagative skip size, giving up\n"); ++ return CL_CLEAN; ++ } + cli_dbgmsg("cli_untar: skipping entry\n"); + lseek(desc, nskip, SEEK_CUR); + continue; only in patch2: unchanged: --- clamav-0.90.1dfsg.orig/debian/patches/52.others.h.CVE-XXXX-XXXX.dpatch +++ clamav-0.90.1dfsg/debian/patches/52.others.h.CVE-XXXX-XXXX.dpatch @@ -0,0 +1,28 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 52.others.h.CVE-XXXX-XXXX.dpatch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: UPack crash with malformed file + +@DPATCH@ +diff --git a/libclamav/others.h b/libclamav/others.h +index a01a414..7e636a7 100644 +--- a/libclamav/others.h ++++ b/libclamav/others.h +@@ -41,12 +41,12 @@ extern uint8_t cli_debug_flag; + * The macro can be used to protect against wraps. + */ + #define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ +- (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ +- && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) ++ ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ ++ && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) + + #define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size) \ +- (bb_size > 0 && sb_size >= 0 && sb_size <= bb_size \ +- && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb) ++ ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ ++ && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size))) + + #define CLI_MAX_ALLOCATION 184549376 + only in patch2: unchanged: --- clamav-0.90.1dfsg.orig/debian/patches/50.pe.c.CVE-2008-6680.dpatch +++ clamav-0.90.1dfsg/debian/patches/50.pe.c.CVE-2008-6680.dpatch @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 50.pe.c.CVE-2008-6680.dpatch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: division by zero fix + +@DPATCH@ +diff --git a/libclamav/pe.c b/libclamav/pe.c +index b61cab2..18d5c71 100644 +--- a/libclamav/pe.c ++++ b/libclamav/pe.c +@@ -679,7 +679,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) + + cli_dbgmsg("------------------------------------\n"); + +- if (DETECT_BROKEN && EC32(section_hdr[i].VirtualAddress)%valign) { /* Bad virtual alignment */ ++ if (DETECT_BROKEN && (!valign || EC32(section_hdr[i].VirtualAddress)%valign)) { /* Bad virtual alignment */ + cli_dbgmsg("VirtualAddress is misaligned\n"); + if(ctx->virname) + *ctx->virname = "Broken.Executable";