From 495cd95c952bdc310ad33191a4488f3bcc51b56f Mon Sep 17 00:00:00 2001 From: ensc Date: Feb 20 2007 07:48:05 +0000 Subject: [SECURITY]: imported Debian patches to fix CVE-2007-0897 (CAB file DOS), CVE-2007-0898 (Directory traversal vulnerability) and CVE-2007-0899 (Heap overflow). Fix CVE-for 2007-0897 is not perfect (disables CAB file parsing completely) but the best I can do atm --- diff --git a/clamav-0.88.7-CVE-2007-0897.patch b/clamav-0.88.7-CVE-2007-0897.patch new file mode 100644 index 0000000..4dbe46e --- /dev/null +++ b/clamav-0.88.7-CVE-2007-0897.patch @@ -0,0 +1,11 @@ +--- clamav-0.88.7.orig/libclamav/filetypes.c ++++ clamav-0.88.7/libclamav/filetypes.c +@@ -59,7 +59,7 @@ + {0, "\037\213", 2, "GZip", CL_TYPE_GZ}, + {0, "BZh", 3, "BZip", CL_TYPE_BZ}, + {0, "SZDD", 4, "compress.exe'd", CL_TYPE_MSSZDD}, +- {0, "MSCF", 4, "MS CAB", CL_TYPE_MSCAB}, ++ /* {0, "MSCF", 4, "MS CAB", CL_TYPE_MSCAB}, */ + {0, "ITSF", 4, "MS CHM", CL_TYPE_MSCHM}, + {0, "#@~^", 4, "SCRENC", CL_TYPE_SCRENC}, + {0, "(This file must be converted with BinHex 4.0)", diff --git a/clamav-0.88.7-CVE-2007-0898.patch b/clamav-0.88.7-CVE-2007-0898.patch new file mode 100644 index 0000000..3ebf0ea --- /dev/null +++ b/clamav-0.88.7-CVE-2007-0898.patch @@ -0,0 +1,11 @@ +--- clamav-0.88.7.orig/libclamav/mbox.c ++++ clamav-0.88.7/libclamav/mbox.c +@@ -3605,6 +3605,8 @@ + char outname[NAME_MAX + 1]; + time_t now; + ++ sanitiseName(id); ++ + snprintf(outname, sizeof(outname) - 1, "%s/%s", dir, id); + + cli_dbgmsg("outname: %s\n", outname); diff --git a/clamav-0.88.7-CVE-2007-0899.patch b/clamav-0.88.7-CVE-2007-0899.patch new file mode 100644 index 0000000..f59db57 --- /dev/null +++ b/clamav-0.88.7-CVE-2007-0899.patch @@ -0,0 +1,12 @@ +--- clamav-0.88.7.orig/libclamav/fsg.c ++++ clamav-0.88.7/libclamav/fsg.c +@@ -72,7 +72,8 @@ + char *csrc = source, *cdst = dest; + int oob, lostbit = 1; + +- /* I assume buffers size is >0 - No checking! */ ++ if (ssize<=0 || dsize<=0) return -1; ++ + *cdst++=*csrc++; + + while ( 1 ) { diff --git a/clamav.spec b/clamav.spec index cd5d104..675bbbb 100644 --- a/clamav.spec +++ b/clamav.spec @@ -1,4 +1,4 @@ -## $Id: clamav.spec,v 1.44 2006/11/05 20:11:21 ensc Exp $ +## $Id: clamav.spec,v 1.45 2006/12/12 08:17:53 ensc Exp $ ## Fedora Extras specific customization below... %bcond_without fedora @@ -19,7 +19,7 @@ Summary: End-user tools for the Clam Antivirus scanner Name: clamav Version: 0.88.7 -Release: %release_func 1 +Release: %release_func 2 License: GPL Group: Applications/File @@ -39,6 +39,9 @@ Patch20: clamav-0.70-user.patch Patch21: clamav-0.70-path.patch Patch22: clamav-0.80-initoff.patch Patch23: clamav-0.88.4-visibility.patch +Patch50: clamav-0.88.7-CVE-2007-0897.patch +Patch51: clamav-0.88.7-CVE-2007-0898.patch +Patch52: clamav-0.88.7-CVE-2007-0899.patch BuildRoot: %_tmppath/%name-%version-%release-root Requires: clamav-lib = %version-%release Requires: data(clamav) @@ -180,6 +183,10 @@ The SysV initscripts for clamav-milter. %prep %setup -q +%patch50 -p1 -b .cve-2007-0897 +%patch51 -p1 -b .cve-2007-0898 +%patch52 -p1 -b .cve-2007-0899 + %patch0 -p1 -b '.guys,please-read-the-compiler-warnings-before-doing-a-release.patch' %patch1 -p1 -b .strncpy @@ -448,6 +455,13 @@ test "$1" = 0 || %_initrddir/clamav-milter condrestart >/dev/null || : %changelog +* Tue Feb 20 2007 Enrico Scholz - 0.88.7-2 +- [SECURITY]: imported Debian patches to fix CVE-2007-0897 (CAB + file DOS), CVE-2007-0898 (Directory traversal vulnerability) and + CVE-2007-0899 (Heap overflow). Fix CVE-for 2007-0897 is not + perfect (disables CAB file parsing completely) but the best I + can do atm + * Tue Dec 12 2006 Enrico Scholz - 0.88.7-1 - updated to 0.88.7