On 2017-08-12 00:42:06 [+0100], Stuart Caie wrote: > On 11/08/17 19:07, Sebastian Andrzej Siewior wrote: > > > [0] https://security-tracker.debian.org/tracker/CVE-2017-6419 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6419 > > > [1] > > > https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1 > > Stuart, is this enough information or do you need more? > I'm interested in how the fix is to add a check to see if > window_posn+this_run wraps the window, immediately below a comment that > expressly states that won't happen, with the reasoning: this_run has already > been clamped to ensure it does not wrap a frame, and frames don't wrap > windows. > > If this is incorrect reasoning, what part of the reasoning is wrong? Is > this_run somehow not being clamped to <=FRAME_SIZE through some code path? > If so, the fix is to clamp it. Is window size not a multiple of frame size? > If so, something is very wrong.
The CVE links the following link: https://github.com/varsleak/varsleak-vul/blob/master/clamav-vul/heap-overflow/clamav_chm_crash.md and that folder contains also https://github.com/varsleak/varsleak-vul/raw/master/clamav-vul/heap-overflow/clamav.crash.chm and clamav segfaults on that one. Could you please check? > I'd be interested in seeing an example file that gets to this condition. > > Also, if ClamAV made a change five months ago, and they're confident it's a > bug in libmspack.... why am I only finding out today? Yeah. The problem is probably that the reporter did not forward the report to the upstream project (you) but only to ClamAV. And ClamAV itself isn't very good at handling such things. I noticed this by chance while checking Debian's bug report on the other CVE and I assumed it would be best to let you know :) > Regards > Stuart Sebastian
