Bug#888484: [Pkg-clamav-devel] Bug#888484: Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available

[Sebastian Andrzej Siewior]

On 27 January 2018 15:30:45 CET, Salvatore Bonaccorso  wrote:
>So "the remaining CVEs were not address yet" part.
>
I was referring to the Stretch release. The fd bug is fixed but not the CVEs.
In the meantime I opened pu bugs for stable and oldstable.


Sebastian

Bug#888484: [Pkg-clamav-devel] Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available

[Salvatore Bonaccorso]

Scott,

Thank you.

On Sat, Jan 27, 2018 at 03:12:31PM +, Scott Kitterman wrote:
> 
> 
> On January 27, 2018 2:30:45 PM UTC, Salvatore Bonaccorso  
> wrote:
> >Hi Scott,
> >
> >On Sat, Jan 27, 2018 at 02:05:59PM +, Scott Kitterman wrote:
> >> fixed 888484 0.99.3~beta2+dfsg-1
> >> 
> >> Everyone:
> >> 
> >> Please leave the status of this bug to the package maintainers.
> >> We've checked and all the security issues in the new 0.99.3 release
> >> were previously addressed in the beta that's in testing/unstable.
> >> 
> >> If you think this is incorrect, provide specific information about
> >> why (i.e. point to the code).  Don't change the status of the bug.
> >> You aren't helping.
> >
> >This though was not clear at all from
> >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the
> >bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote:
> >
> >> I *think* the crashes you obsereved might be due to FD desc issue.
> >This
> >> was fixed in Stretch by chance but not in Jessie. However the
> >remaining
> >> CVEs were not addressed yet and I'm looking into it…
> >> 
> >> [0]
> >http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html
> >
> >So "the remaining CVEs were not address yet" part.
> >
> >I take your last email as confirmation that they indeed *are* fixed in
> >0.99.3~beta2+dfsg-1 and have updated the security-tracker information
> >as such.
> 
> Thanks.  This is a bit of a confusing mess (thanks upstream).  My
> understanding is that the remaining ones are ones that are addressed
> in the beta in unstable/testing, but not the new release.  If I find
> out different, I'll be sure to update the tracker.

Btw, I did expand the tracker CVE entries now with the respective
upstream bugs (they are now open) and the respective commits. And it
looks indeed that all of those are present in the "Import
clamav_0.99.3~beta2+dfsg.orig.tar.xz" of Sebastian Andrzej Siewior, in
the packaging repo done back in december 2017.

Thanks for your work!

Salvatore

Bug#888484: [Pkg-clamav-devel] Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available

[Scott Kitterman]

On January 27, 2018 2:30:45 PM UTC, Salvatore Bonaccorso  
wrote:
>Hi Scott,
>
>On Sat, Jan 27, 2018 at 02:05:59PM +, Scott Kitterman wrote:
>> fixed 888484 0.99.3~beta2+dfsg-1
>> 
>> Everyone:
>> 
>> Please leave the status of this bug to the package maintainers.
>> We've checked and all the security issues in the new 0.99.3 release
>> were previously addressed in the beta that's in testing/unstable.
>> 
>> If you think this is incorrect, provide specific information about
>> why (i.e. point to the code).  Don't change the status of the bug.
>> You aren't helping.
>
>This though was not clear at all from
>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the
>bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote:
>
>> I *think* the crashes you obsereved might be due to FD desc issue.
>This
>> was fixed in Stretch by chance but not in Jessie. However the
>remaining
>> CVEs were not addressed yet and I'm looking into it…
>> 
>> [0]
>http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html
>
>So "the remaining CVEs were not address yet" part.
>
>I take your last email as confirmation that they indeed *are* fixed in
>0.99.3~beta2+dfsg-1 and have updated the security-tracker information
>as such.

Thanks.  This is a bit of a confusing mess (thanks upstream).  My understanding 
is that the remaining ones are ones that are addressed in the beta in 
unstable/testing, but not the new release.  If I find out different, I'll be 
sure to update the tracker.

Scott K

Bug#888484: [Pkg-clamav-devel] Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available

[Salvatore Bonaccorso]

Hi Scott,

On Sat, Jan 27, 2018 at 02:05:59PM +, Scott Kitterman wrote:
> fixed 888484 0.99.3~beta2+dfsg-1
> 
> Everyone:
> 
> Please leave the status of this bug to the package maintainers.
> We've checked and all the security issues in the new 0.99.3 release
> were previously addressed in the beta that's in testing/unstable.
> 
> If you think this is incorrect, provide specific information about
> why (i.e. point to the code).  Don't change the status of the bug.
> You aren't helping.

This though was not clear at all from
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the
bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote:

> I *think* the crashes you obsereved might be due to FD desc issue. This
> was fixed in Stretch by chance but not in Jessie. However the remaining
> CVEs were not addressed yet and I'm looking into it…
> 
> [0] 
> http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

So "the remaining CVEs were not address yet" part.

I take your last email as confirmation that they indeed *are* fixed in
0.99.3~beta2+dfsg-1 and have updated the security-tracker information
as such.

Regards,
Salvatore

Bug#888484: [Pkg-clamav-devel] Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available

[Scott Kitterman]

fixed 888484 0.99.3~beta2+dfsg-1

Everyone:

Please leave the status of this bug to the package maintainers.  We've checked 
and all the security issues in the new 0.99.3 release were previously addressed 
in the beta that's in testing/unstable.

If you think this is incorrect, provide specific information about why (i.e. 
point to the code).  Don't change the status of the bug.  You aren't helping.

Scott K

On January 27, 2018 10:19:15 AM UTC, Salvatore Bonaccorso  
wrote:
>notfixed 888484 0.99.3~beta2+dfsg-1
>thanks
>
>Assuming the following was the intention:
>
>On Sat, Jan 27, 2018 at 02:12:08AM +, Debian Bug Tracking System
>wrote:
>> Processing control commands:
>> 
>> > unfixed 888484 0.99.3~beta2+dfsg-1
>> Unknown command or malformed arguments to command.
>
>___
>Pkg-clamav-devel mailing list
>pkg-clamav-de...@lists.alioth.debian.org
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Bug#888484: clamav: Security release 0.99.3 available

[Bernhard Schmidt]

Control: unfixed 888484 0.99.3~beta2+dfsg-1
Control: fixed 888511 0.99.3~beta2+dfsg-1

Hi 

>> 
>> We've have started seeing unexpected clamd crashes on a high-traffic mail
>> system today, though I've been unable to isolate a test case. It's seems like
>> too much of a coincidence that these crashes start happening the day after a
>> security release was announced. We've implemented mitigations but an updated
>> package would be even better.
> 
> I *think* the crashes you obsereved might be due to FD desc issue. This
> was fixed in Stretch by chance but not in Jessie. However the remaining
> CVEs were not addressed yet and I'm looking into it…
> 
> [0] 
> http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

Indeed. There is a separate Bug#888511 for that, I have migrated the fixed 
Version above to avoid confusion.

Are you sure about the Stretch thing? Stretch contains 0.99.2 which should be 
affected by this bug. But I’m not 100% sure, as all my high traffic mail 
gateways are still running Jessie.

According to reports 0.99.3~beta2 was indeed not affected by the signature bug, 
so Buster/Sid where fine. What makes things even more confusing is that 0.99.3 
does not contain this fix, because 0.99.3 is 0.99.2+security fixes, while 
0.99.3~beta was a development tree that is now called 0.100 :-(

http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html

Upstream announcement suggests you cannot do a clean switch from 0.99.3~beta to 
0.99.3

As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences


Bernhard

Bug#888484: clamav: Security release 0.99.3 available

[Rob N ★]

On Sat, Jan 27, 2018, at 11:08 AM, Sebastian Andrzej Siewior wrote:
> I **think** the crashes you obsereved might be due to FD desc
> issue. This> was fixed in Stretch by chance but not in Jessie. However the
> remaining> CVEs were not addressed yet and I'm looking into it…

Yes, I found this too after reviewing discussion on clamav-users. I've
been running the latest daily.cvd on a test server this morning without
issue, which is a good enough solution for me at the moment.
I will of course be watching for updated packages, but it's definitiely
no long urgent.
Thanks you all for the pointers; I appreciate the assist :)

Rob N.

Bug#888484: clamav: Security release 0.99.3 available

[Sebastian Andrzej Siewior]

control: fixed -1  0.99.3~beta2+dfsg-1

On 2018-01-26 09:35:25 [+], Rob N wrote:
> Package: clamav
> Version: 0.99.2+dfsg-0+deb8u2
> Severity: important
> 
> 0.99.3 has been released, see 
> http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html.
> 
> This fixed a number of overflow bugs, each of which has assigned CVE numbers
> due to the potential for denial of service.
> 
> We've have started seeing unexpected clamd crashes on a high-traffic mail
> system today, though I've been unable to isolate a test case. It's seems like
> too much of a coincidence that these crashes start happening the day after a
> security release was announced. We've implemented mitigations but an updated
> package would be even better.

I *think* the crashes you obsereved might be due to FD desc issue. This
was fixed in Stretch by chance but not in Jessie. However the remaining
CVEs were not addressed yet and I'm looking into it…

[0] http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

> Cheers!
> Rob N.

Sebastian

Bug#888484: clamav: Security release 0.99.3 available

[Bernhard Schmidt]

Control: tags -1 security
Control: severity -1 grave

On Fri, Jan 26, 2018 at 09:35:25AM +, Rob N wrote:
> Package: clamav
> Version: 0.99.2+dfsg-0+deb8u2
> Severity: important
> 
> 0.99.3 has been released, see 
> http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html.
> 
> This fixed a number of overflow bugs, each of which has assigned CVE numbers
> due to the potential for denial of service.
> 
> We've have started seeing unexpected clamd crashes on a high-traffic mail
> system today, though I've been unable to isolate a test case. It's seems like
> too much of a coincidence that these crashes start happening the day after a
> security release was announced. We've implemented mitigations but an updated
> package would be even better.

Indeed. There are tons of reports of ClamAV installations suddently
getting wedged, see
http://lists.clamav.net/pipermail/clamav-users/2018-January/thread.html#5658
. It is a bit unclear whether 0.99.3 does fix this issue (which seems to
be caused by a recent signature update), but other news sites claim that
at least CVE-2017-12376 is getting actively exploited.

Bernhard

Bug#888484: clamav: Security release 0.99.3 available

[Rob N]

Package: clamav
Version: 0.99.2+dfsg-0+deb8u2
Severity: important

0.99.3 has been released, see 
http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html.

This fixed a number of overflow bugs, each of which has assigned CVE numbers
due to the potential for denial of service.

We've have started seeing unexpected clamd crashes on a high-traffic mail
system today, though I've been unable to isolate a test case. It's seems like
too much of a coincidence that these crashes start happening the day after a
security release was announced. We've implemented mitigations but an updated
package would be even better.

Cheers!
Rob N.


-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav

Config file: clamd.conf
---
LogFile = "/var/log/clamav/clamav.log"
StatsHostID = "auto"
StatsEnabled disabled
StatsPEDisabled = "yes"
StatsTimeout = "10"
LogFileUnlock disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
PidFile disabled
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "5"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "3600"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups disabled
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "6"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
PartitionIntersection disabled
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
OLE2BlockMacros disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
ForceToDisk disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "1"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
MaxRecHWP3 = "16"
PCREMatchLimit = "1"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
ScanOnAccess disabled
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeUID disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled

Config file: freshclam.conf
---
StatsHostID disabled
StatsEnabled disabled
StatsTimeout disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
PidFile disabled
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
AllowSupplementaryGroups disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
PrivateMirror disabled
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamav/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout = "30"
SubmitDetectionStats disabled
DetectionStatsCountry disabled
DetectionStatsHostID disabled
SafeBrowsing disabled
Bytecode = "yes"

clamav-milter.conf not found

Software settings
-
Version: 0.99.2
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 
LIBXML2 PCRE ICONV JSON RAR JIT

Database information

Database