Hi Moritz, * Moritz Muehlenhoff <[EMAIL PROTECTED]> [2008-04-18 16:09]: > Nico Golde wrote: > > the following CVE (Common Vulnerabilities & Exposures) id was > > published for clamav. > > > > > > CVE-2008-1833[0]: > > | Heap-based buffer overflow in libclamav in ClamAV 0.92.1 allows remote > > | attackers to execute arbitrary code via a crafted WWPack compressed PE > > | binary. > > > > If you fix the vulnerability please also make sure to include the > > CVE id in your changelog entry. > > > > For further information see: > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1833 > > http://security-tracker.debian.net/tracker/CVE-2008-1833 > > Already fixed in etch and unstable (it's the issue referenced as not > yet having a CVE ID in the DSA).
Are you sure? Looking at the source code from the unstable
version I still see the affected lines of code:
if((DCONF & PE_CONF_WWPACK) && nsections > 1 &&
exe_sections[nsections-1].raw>0x2b1 &&
vep == exe_sections[nsections - 1].rva &&
exe_sections[nsections - 1].rva + exe_sections[nsections - 1].rsz == max
&&
memcmp(epbuff, "\x53\x55\x8b\xe8\x33\xdb\xeb", 7) == 0 &&
memcmp(epbuff+0x68,
"\xe8\x00\x00\x00\x00\x58\x2d\x6d\x00\x00\x00\x50\x60\x33\xc9\x50\x58\x50\x50",
19) == 0) {
uint32_t headsize=exe_sections[nsections - 1].raw;
char *dest, *wwp;
for(i = 0 ; i < (unsigned int)nsections-1; i++)
if (exe_sections[i].raw<headsize) headsize=exe_sections[i].raw;
dsize = max-min+headsize-exe_sections[nsections - 1].rsz;
CLI_UNPSIZELIMITS("WWPack", dsize);
if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
How was this fixed?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpMXmQ2pQtWU.pgp
Description: PGP signature
