Your message dated Thu, 03 Nov 2005 17:32:07 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#333566: fixed in clamav 0.87.1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Oct 2005 17:43:32 +0000
>From [EMAIL PROTECTED] Wed Oct 12 10:43:32 2005
Return-path: <[EMAIL PROTECTED]>
Received: from starnet.skynet.com.pl (skynet.skynet.com.pl) [213.25.173.230]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EPkdY-0007Xt-00; Wed, 12 Oct 2005 10:43:32 -0700
Received: from unregister250204219081.c204.msk.pl ([81.219.204.250]
helo=localhost)
by skynet.skynet.com.pl with asmtp (Exim 3.35 #1 (Debian))
id 1EPkdQ-0008Sj-00; Wed, 12 Oct 2005 19:43:24 +0200
Received: from porridge by localhost with local (Exim 4.53)
id 1EPkdP-0000PG-7j; Wed, 12 Oct 2005 19:43:23 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Marcin Owsiany <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: OLE2 unpacker stack overflow
X-Mailer: reportbug 3.17
Date: Wed, 12 Oct 2005 19:43:23 +0200
Message-Id: <[EMAIL PROTECTED]>
X-Scanner: exiscan *1EPkdQ-0008Sj-00*lCRuFrobj4.*
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SBLXBL,RCVD_IN_SBLXBL_CBL autolearn=no
version=2.60-bugs.debian.org_2005_01_02
Package: clamav
Version: 0.87-1
Severity: important
Tags: security
I recently stumbled upon a (probably corrupted) DOC file, which caused
clamd (running with ArchiveMaxFiles 10000) to segfault, causing a DoS. After
specifying --max-files=100000 to clamscan, I could also get clamscan to
segfault.
Here is a backtrace I obtained:
#0 0xb7d993a7 in vfprintf () from /lib/tls/libc.so.6
#1 0xb7dbb4e1 in vsnprintf () from /lib/tls/libc.so.6
#2 0xb7e9e7ae in cli_dbgmsg (str=0xb7ee2090 "%34s ") at others.c:122
#3 0xb7ebb8f4 in print_property_name (pname=0xbf0238b0 "\001", size=18) at
ole2_extract.c:186
#4 0xb7ebb961 in print_ole2_property (property=0xbf0238b0) at
ole2_extract.c:197
#5 0xb7ebc87c in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028
"/tmp/clamav-ad8ca4a99a5aca3d", prop_index=5,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0,
limits=0x87a1e58) at ole2_extract.c:509
#6 0xb7ebca1b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028
"/tmp/clamav-ad8ca4a99a5aca3d", prop_index=2,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0,
limits=0x87a1e58) at ole2_extract.c:536
#7 0xb7ebca4b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028
"/tmp/clamav-ad8ca4a99a5aca3d", prop_index=5,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0,
limits=0x87a1e58) at ole2_extract.c:538
#8 0xb7ebca1b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028
"/tmp/clamav-ad8ca4a99a5aca3d", prop_index=2,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0,
limits=0x87a1e58) at ole2_extract.c:536
#9 0xb7ebca4b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028
"/tmp/clamav-ad8ca4a99a5aca3d", prop_index=5,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0,
limits=0x87a1e58) at ole2_extract.c:538
#10 0xb7ebca1b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc, dir=0x87aa028
"/tmp/clamav-ad8ca4a99a5aca3d", prop_index=2,
handler=0xb7ebcc14 <handler_writefile>, rec_level=1, file_count=0xbf8222a0,
limits=0x87a1e58) at ole2_extract.c:536
[...]
#13791 0xb7ebca1b in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc,
dir=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d",
prop_index=3, handler=0xb7ebcc14 <handler_writefile>, rec_level=1,
file_count=0xbf8222a0, limits=0x87a1e58)
at ole2_extract.c:536
#13792 0xb7ebc9a1 in ole2_walk_property_tree (fd=3, hdr=0xbf8222fc,
dir=0x87aa028 "/tmp/clamav-ad8ca4a99a5aca3d",
prop_index=0, handler=0xb7ebcc14 <handler_writefile>, rec_level=0,
file_count=0xbf8222a0, limits=0x87a1e58)
at ole2_extract.c:523
#13793 0xb7ebd68c in cli_ole2_extract (fd=3, dirname=0x87aa028
"/tmp/clamav-ad8ca4a99a5aca3d", limits=0x87a1e58)
at ole2_extract.c:826
#13794 0xb7ea7419 in cli_scanole2 (desc=3, virname=0xbf8226bc,
scanned=0x80536fc, root=0x8054720, limits=0x87a1e58,
options=107, arec=1, mrec=0) at scanners.c:1142
#13795 0xb7ea802a in cli_magic_scandesc (desc=3, virname=0xbf8226bc,
scanned=0x80536fc, root=0x8054720, limits=0x87a1e58,
options=107, arec=1, mrec=0) at scanners.c:1454
#13796 0xb7ea8421 in cl_scandesc (desc=3, virname=0xbf8226bc,
scanned=0x80536fc, root=0x8054720, limits=0x87a1e58,
options=107) at scanners.c:1563
#13797 0x0804e6b4 in checkfile (filename=0x87aa018 "KOCH.DOC", root=0x8054720,
limits=0x87a1e58, options=107, printclean=1)
at manager.c:764
#13798 0x0804d77b in scanfile (filename=0x87aa018 "KOCH.DOC", root=0x8054720,
user=0x0, opt=0x8054008, limits=0x87a1e58,
options=107) at manager.c:436
---Type <return> to continue, or q <return> to quit---
#13799 0x0804cf5d in scanmanager (opt=0x8054008) at manager.c:263
#13800 0x0804b40b in clamscan (opt=0x8054008) at clamscan.c:159
#13801 0x0804bcf6 in main (argc=4, argv=0xbf822dd4) at options.c:177
I ran it under gdb, and apparently the problem is that the doc file's property
tree is not actually a tree:
Index Property Prev Next Child
------------------------------------------
0 RootEntry -1 -1 3
3 SummaryInformation 2 4 -1
2 WordDocument 5 -1 -1
5 CompObj 0 2 1083217721
This makes ole2_walk_property_tree bounce between properties 2 5 and 0, until
either MaxFiles limit is reached, or (apparently) stack is overflowed.
I do not yet have the authorization to forward the doc file in question to you,
but I guess any file with such property graph will do.
This segfault occured after 13k+ calls, but the clamd on which I discovered the
problem segfaulted with only about 3500+ calls (I have a strace, but it
contains data I am not authorized to forward). I think the difference can be
explained by different system (sid vs sarge), kernel version and program (clamd
vs clamscan).
I guess the problem can be solved in several ways:
- changing ole2_walk_property_tree to an iterative implementation
- keeping a cache of already visited nodes and short-circuiting on second visit
Either way, a warning should be put in the documentation on any recursive
unpacking algorithm in clamav, so one can choose a saner maxfiles limit.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2)
Versions of packages clamav depends on:
ii clamav-freshclam [clamav-data 0.87-1 downloads clamav virus databases f
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libclamav1 0.87-1 virus scanner library
ii zlib1g 1:1.2.3-4 compression library - runtime
Versions of packages clamav recommends:
pn arj <none> (no description available)
pn unzoo <none> (no description available)
-- no debconf information
---------------------------------------
Received: (at 333566-close) by bugs.debian.org; 4 Nov 2005 01:36:52 +0000
>From [EMAIL PROTECTED] Thu Nov 03 17:36:52 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EXqR5-0006ay-00; Thu, 03 Nov 2005 17:32:07 -0800
From: Stephen Gran <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#333566: fixed in clamav 0.87.1-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 03 Nov 2005 17:32:07 -0800
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 4
Source: clamav
Source-Version: 0.87.1-1
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:
clamav-base_0.87.1-1_all.deb
to pool/main/c/clamav/clamav-base_0.87.1-1_all.deb
clamav-daemon_0.87.1-1_i386.deb
to pool/main/c/clamav/clamav-daemon_0.87.1-1_i386.deb
clamav-docs_0.87.1-1_all.deb
to pool/main/c/clamav/clamav-docs_0.87.1-1_all.deb
clamav-freshclam_0.87.1-1_i386.deb
to pool/main/c/clamav/clamav-freshclam_0.87.1-1_i386.deb
clamav-milter_0.87.1-1_i386.deb
to pool/main/c/clamav/clamav-milter_0.87.1-1_i386.deb
clamav-testfiles_0.87.1-1_all.deb
to pool/main/c/clamav/clamav-testfiles_0.87.1-1_all.deb
clamav_0.87.1-1.diff.gz
to pool/main/c/clamav/clamav_0.87.1-1.diff.gz
clamav_0.87.1-1.dsc
to pool/main/c/clamav/clamav_0.87.1-1.dsc
clamav_0.87.1-1_i386.deb
to pool/main/c/clamav/clamav_0.87.1-1_i386.deb
clamav_0.87.1.orig.tar.gz
to pool/main/c/clamav/clamav_0.87.1.orig.tar.gz
libclamav-dev_0.87.1-1_i386.deb
to pool/main/c/clamav/libclamav-dev_0.87.1-1_i386.deb
libclamav1_0.87.1-1_i386.deb
to pool/main/c/clamav/libclamav1_0.87.1-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stephen Gran <[EMAIL PROTECTED]> (supplier of updated clamav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 3 Nov 2005 23:21:30 +0000
Source: clamav
Binary: clamav libclamav-dev clamav-milter clamav-base clamav-freshclam
clamav-testfiles clamav-daemon libclamav1 clamav-docs
Architecture: source all i386
Version: 0.87.1-1
Distribution: unstable
Urgency: low
Maintainer: Stephen Gran <[EMAIL PROTECTED]>
Changed-By: Stephen Gran <[EMAIL PROTECTED]>
Description:
clamav - antivirus scanner for Unix
clamav-base - base package for clamav, an anti-virus utility for Unix
clamav-daemon - antivirus scanner daemon
clamav-docs - documentation package for clamav, an anti-virus utility for Unix
clamav-freshclam - downloads clamav virus databases from the Internet
clamav-milter - antivirus scanner for sendmail
clamav-testfiles - use these files to test that your Antivirus program works
libclamav-dev - clam Antivirus library development files
libclamav1 - virus scanner library
Closes: 322396 330240 333400 333566
Changes:
clamav (0.87.1-1) unstable; urgency=low
.
* New upstream release
- Upstream fix for possible infinite loop
libclamav/tnef.c: IDEF1169]
- Upstream fix for possible infinite loop
libclamav/mspack/cabd.c: IDEF1180]
- Upstream fix for buffer size calculation
libclamav/fsg.c: ZDI-CAN-004]
- Upstream fix for possible infinite loop
libclamav/others.c,h, libclamav/ole2_extract.c: CAN-2005-3239]
(closes: #333566)
- Upstream fix for boundary checks
libclamav/petite.c]
- Upstream fix to scan attachments that have no file names
libclamav/mbox.c]
* Some more lsb changes to init scripts
* New Translations:
- it (Thanks Cristian Rigamonti <[EMAIL PROTECTED]>)(closes: #330240)
- sv (Thanks Daniel Nylander <[EMAIL PROTECTED]>)(closes: #333400)
* Move to dpatch for patch management, and add build-dependencies (dpatch
and cpp)
* Apply patch for bus error on sparc in zzip routines (closes: #322396)
Files:
38cde2f3590f4512a314de2b3ac75f2e 875 utils optional clamav_0.87.1-1.dsc
bf9f038edf0b6d5f76552e1b8d014b81 4468992 utils optional
clamav_0.87.1.orig.tar.gz
1db07c66d0d83a4c47e8715c2e7cf2b2 467697 utils optional clamav_0.87.1-1.diff.gz
264744d2f0e1ff5e70f72c9e11c68064 168582 utils optional
clamav-base_0.87.1-1_all.deb
303256fba60b651617b168aa90b88b00 127758 utils optional
clamav-testfiles_0.87.1-1_all.deb
dcf9b25c4d279133b0a7a5276b49b36e 795146 utils optional
clamav-docs_0.87.1-1_all.deb
ccad02c67f00bf678c6c1ae360a3259a 258530 libs optional
libclamav1_0.87.1-1_i386.deb
77bfd295cb6b7f7db642ce369ac3439e 65456 utils optional clamav_0.87.1-1_i386.deb
2859c7c5aafecddb18ea84abd4466741 38450 utils optional
clamav-daemon_0.87.1-1_i386.deb
acec551989ab1f0025979dca3e3c851e 2771638 utils optional
clamav-freshclam_0.87.1-1_i386.deb
fed04b33e8f41dbf63e48e2c3cc6a447 37854 utils extra
clamav-milter_0.87.1-1_i386.deb
f1ea9b5693aefdc77d69ad5eb59edde4 159284 libdevel optional
libclamav-dev_0.87.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDarEgSYIMHOpZA44RAnd3AJ990y6B9d1yiTByFX8y+jYxTonHIACggHvm
xBA7Kt3txmSu8FPWb4PqDG0=
=5GjH
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
