Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001
On 3/29/11 11:39 AM, Tomasz Kojm tk...@clamav.net wrote: On Tue, 29 Mar 2011 10:06:09 -0700 Al Varnell alvarn...@mac.com wrote: I know clamav (freshclam) needs bzip2 to decompressing signature database .cvd files. The scanners undoubtedly use it to decompress .bz2 files they encounter. If any of these files are malformed to trigger the security bug, then they could potentially be a problem, but I have no idea how common such files are. bzip2 is optional, the .cvd files are compressed using zlib. Evidently I was misinformed. So from that I gather the only impact of having a bugged bzip2 with regard to clamav is the possibility of scanning a malformed .bz2 file that would trigger integer overflow, causing a denial of service (application crash) or possibly execute arbitrary code. And if omitted entirely from the OS clamav would be unable to scan any bzip2 compressed files. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001
On Mar 27, 2011, at 2:31 AM, Al Varnell wrote: Some Mac users will recall that several months back we discussed the bzip2 bug and I filed a bug report with Apple when it wasn't included in their previous updates back in November. They acknowledged they were working on it and promised it would be out shortly. Last Monday they posted updates to both Mac OS X 10.5.8 and 10.6.6 which purports to fix the bug (forwarded below). For older machines (10.4) what is the best way to update bzip2? Do I need to put MacPorts on every machine? Or can updated bzip2 files be manually installed? Obviously, I am going to have to go third-party. If bzip2 is not updated, will clamd be unstable? Thanks. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001
On Mar 29, 2011, at 1:06 PM, Al Varnell wrote: On 3/29/11 6:29 AM, Russ Tyndall fitz...@redshanksoftware.com wrote: On Mar 27, 2011, at 2:31 AM, Al Varnell wrote: Some Mac users will recall that several months back we discussed the bzip2 bug and I filed a bug report with Apple when it wasn't included in their previous updates back in November. They acknowledged they were working on it and promised it would be out shortly. Last Monday they posted updates to both Mac OS X 10.5.8 and 10.6.6 which purports to fix the bug (forwarded below). For older machines (10.4) what is the best way to update bzip2? Mac OS X 10.4 probably has bigger security issues for you than bzip2 as there have been no updates since Sep 2009. Do I need to put MacPorts on every machine? Or can updated bzip2 files be manually installed? Obviously, I am going to have to go third-party. I can't think of any reason you couldn't just download and compile the source from http://bzip.org/ and install all the files for v1.0.6. I don't really know what the OS uses bzip2 for, other than decompressing .bz2 files that it runs across, but there could potentially be OS compatibility issues. I'm aware of several folks who have been using v1.0.6 since it came out, at least one of whom is running 10.4 and have not reported having any issues. Al, The problem is that the make for dynamic libraries doesn't work out of the box so even if you compile the static version clam will link with the old dynamic lib. Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001
I can't think of any reason you couldn't just download and compile the source from http://bzip.org/ and install all the files for v1.0.6. i can't speak for MacOS, but that procedure worked for me with solaris 10 and failed for solaris 9. i waited for the vendor patches. rp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001
On Mar 29, 2011, at 1:38 PM, TR Shaw wrote: The problem is that the make for dynamic libraries doesn't work out of the box so even if you compile the static version clam will link with the old dynamic lib. Can I tell clam where to get the bzip2 stuff? I know I am not using the right terminology, but will this work? 1) Compile bzip2 1.0.6 from source on a machine with the right tools and install it in /opt/local/lib 2) Compile clamd from source on the same machine with this flag: export LDFLAGS=-O3 -march=i686 -L/opt/local/lib (Is the flag above telling clamd where to get bzip2 on the machine where clamd is running?) 3) Copy the /opt/local/lib directory containing bzip2 to each client computer 4) Install and set up the just-compiled clamd to each client computer Since I am leaving the OS-provided [and buggy] version 1.0.5 in place, won't the OS be ok? Thanks in advance for any guidance. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001
Follow up. Some Mac users will recall that several months back we discussed the bzip2 bug and I filed a bug report with Apple when it wasn't included in their previous updates back in November. They acknowledged they were working on it and promised it would be out shortly. Last Monday they posted updates to both Mac OS X 10.5.8 and 10.6.6 which purports to fix the bug (forwarded below). After installing the update, I noticed that it was still bzip2 v1.0.5, so I wrote back to Apple, ask what was going on and received the following response: We fixed it by patching the specific issue, not by updating to the latest version. Best regards, Cedric Apple Product Security team So I ran a quick configure and make check of the clamav 0.97.0 tarball and received no bzip2 related warnings or errors. So Mac users should be good to go on this one. For those of you who chose to update to a third party bzip2 1.0.6 in the interim...I don't know what to tell you. -Al- -- Al Varnell Mountain View, CA -- Forwarded Message From: Apple Product Security product-security-nore...@lists.apple.com Date: Mon, 21 Mar 2011 13:30:57 -0700 To: security-annou...@lists.apple.com Subject: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001 Mac OS X v10.6.7 and Security Update 2011-001 are now available and address the following: bzip2 Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6 Impact: Using the command line bzip2 or bunzip2 tool to decompress a bzip2 file may result in an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in bzip2's handling of bzip2 compressed files. Using the command line bzip2 or bunzip2 tool to decompress a bzip2 file may result in an unexpected application termination or arbitrary code execution. CVE-ID CVE-2010-0405 ... This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJNh67eAAoJEGnF2JsdZQeee6gH/3zZ0+W4RlmeuC6m6/7BJGAQ KDyG4V7KJKsGNliYaX/gAb8Bh6ST3M7Aw+j4Cw4oLIO49qRvR907SHnrAF214VpI fPB3hKy8NGwU1iBhWjSqRtJIxZfc8FRfxy0/ulkbQm80m70pCHX7xgPB6s7WkVH+ d3eEGBZNzHSk+ET+iyXamWKmkSYAVBv3V+nqVKAfB0J61r85UhW1NGjMQKl4CbD/ tM5LZc1gT/ZPXyNGoBfrzExHIVoHV4NJO8m9mj1A90WX7MxxEo1uEMoMQ9yxJalj pP6fx9uMzmmK8mBAqnHYf3vK4R1cw/mBYds+k3dOghSBoK0usyfjyKsS6OnYC3M= =GkWL -END PGP SIGNATURE- -- End of Forwarded Message ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001
On 3/27/2011 2:31 AM, Al Varnell wrote: For those of you who chose to update to a third party bzip2 1.0.6 in the interim...I don't know what to tell you. They're likely to be fine. If they installed their build of libbz2 under /usr/local/lib, and setup $DYLD_LIBRARY_PATH to find it (or passed -L/usr/local/lib to ./configure, etc), then ClamAV and anything else configured that way will continue to use their v1.0.6 build. If they chose to install to /usr/lib, well, the latest software updates from Apple will have installed 1.0.5 with the CVE-2010-0405 fix over that, but it shouldn't break anything, as I'm reasonably sure (from inspection and from testing) that there were no API changes between 1.0.5 and 1.0.6. Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml