[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch,	debian/etch-security,	updated. 2561103d6251a7903c4b131dc7eb74093e7aee50
    Michael Tautschnig 
    mt at debian.org
       
    Wed Dec  3 04:42:44 UTC 2008
    
    
  
The following commit has been merged in the debian/etch-security branch:
commit 2561103d6251a7903c4b131dc7eb74093e7aee50
Author: Michael Tautschnig <mt at debian.org>
Date:   Tue Dec 2 20:41:39 2008 -0800
    Backported fix for #507624
    
    - libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit() (bb#1266)
    - Using code from upstream SVN r4478
    
    Signed-off-by: Michael Tautschnig <mt at debian.org>
diff --git a/debian/changelog b/debian/changelog
index 50329c3..a3d029f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,8 +2,10 @@ clamav (0.90.1dfsg-4etch16) stable-security; urgency=high
 
   * libclamav/vba_extract.c: off-by-one error causing possible buffer overflow
     (Closes: #505134)
+  * libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit()
+    (Closes: #507624)
 
- -- Stephen Gran <sgran at debian.org>  Tue, 11 Nov 2008 22:29:12 +0100
+ -- Stephen Gran <sgran at debian.org>  Tue, 02 Dec 2008 20:36:31 -0800
 
 clamav (0.90.1dfsg-4etch15) stable-security; urgency=low
 
diff --git a/debian/patches/00list b/debian/patches/00list
index 27caae2..37b710f 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -24,3 +24,4 @@
 46.fd-leak.CVE-2008-3914.dpatch
 47.manager.c.CVE-2008-3913.dpatch
 48.vba_unicode.c.dpatch
+49.special.c.dpatch
diff --git a/debian/patches/49.special.c.dpatch b/debian/patches/49.special.c.dpatch
new file mode 100644
index 0000000..cbadd93
--- /dev/null
+++ b/debian/patches/49.special.c.dpatch
@@ -0,0 +1,125 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 48.vba_unicode.c.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: get_unicode_name() off-by-one buffer overflow
+
+ at DPATCH@
+diff --git a/libclamav/scanners.c b/libclamav/scanners.c
+index c4d1d8b..1d53fa6 100644
+--- a/libclamav/scanners.c
++++ b/libclamav/scanners.c
+@@ -1451,13 +1451,13 @@ static int cli_scanriff(int desc, const char **virname)
+     return ret;
+ }
+ 
+-static int cli_scanjpeg(int desc, const char **virname)
++static int cli_scanjpeg(int desc, cli_ctx *ctx)
+ {
+ 	int ret = CL_CLEAN;
+ 
+-    if(cli_check_jpeg_exploit(desc) == 1) {
++    if(cli_check_jpeg_exploit(desc, ctx) == 1) {
+ 	ret = CL_VIRUS;
+-	*virname = "Exploit.W32.MS04-028";
++	*ctx->virname = "Exploit.W32.MS04-028";
+     }
+ 
+     return ret;
+@@ -1905,7 +1905,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
+ 
+ 	case CL_TYPE_GRAPHICS:
+ 	    if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG))
+-		ret = cli_scanjpeg(desc, ctx->virname);
++		ret = cli_scanjpeg(desc, ctx);
+ 	    break;
+ 
+ 	case CL_TYPE_PDF:
+diff --git a/libclamav/special.c b/libclamav/special.c
+index 777f103..2179db4 100644
+--- a/libclamav/special.c
++++ b/libclamav/special.c
+@@ -82,7 +82,7 @@ int cli_check_mydoom_log(int desc, const char **virname)
+     return retval;
+ }
+ 
+-static int jpeg_check_photoshop_8bim(int fd)
++static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx)
+ {
+ 	unsigned char bim[5];
+ 	uint16_t id, ntmp;
+@@ -137,7 +137,7 @@ static int jpeg_check_photoshop_8bim(int fd)
+ 	/* Jump past header */
+ 	lseek(fd, 28, SEEK_CUR);
+ 
+-	retval = cli_check_jpeg_exploit(fd);
++	retval = cli_check_jpeg_exploit(fd, ctx);
+ 	if (retval == 1) {
+ 		cli_dbgmsg("Exploit found in thumbnail\n");
+ 	}
+@@ -146,7 +146,7 @@ static int jpeg_check_photoshop_8bim(int fd)
+ 	return retval;
+ }
+ 
+-static int jpeg_check_photoshop(int fd)
++static int jpeg_check_photoshop(int fd, cli_ctx *ctx)
+ {
+ 	int retval;
+ 	unsigned char buffer[14];
+@@ -163,7 +163,7 @@ static int jpeg_check_photoshop(int fd)
+ 	cli_dbgmsg("Found Photoshop segment\n");
+ 	do {
+ 		old = lseek(fd, 0, SEEK_CUR);
+-		retval = jpeg_check_photoshop_8bim(fd);
++		retval = jpeg_check_photoshop_8bim(fd, ctx);
+ 		new = lseek(fd, 0, SEEK_CUR);
+ 		if(new <= old)
+ 			break;
+@@ -175,7 +175,7 @@ static int jpeg_check_photoshop(int fd)
+ 	return retval;
+ }
+ 
+-int cli_check_jpeg_exploit(int fd)
++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx)
+ {
+ 	unsigned char buffer[4];
+ 	off_t offset;
+@@ -183,6 +183,8 @@ int cli_check_jpeg_exploit(int fd)
+ 
+ 
+ 	cli_dbgmsg("in cli_check_jpeg_exploit()\n");
++	if(ctx->recursion > ctx->limits->maxreclevel)
++	    return CL_EMAXREC;
+ 
+ 	if (cli_readn(fd, buffer, 2) != 2) {
+ 		return 0;
+@@ -226,9 +228,11 @@ int cli_check_jpeg_exploit(int fd)
+ 
+ 		if (buffer[1] == 0xed) {
+ 			/* Possible Photoshop file */
+-			if ((retval=jpeg_check_photoshop(fd)) != 0) {
++			ctx->recursion++;
++			retval=jpeg_check_photoshop(fd, ctx);
++			ctx->recursion--;
++			if (retval != 0)
+ 				return retval;
+-			}
+ 		}
+ 
+ 		if (lseek(fd, offset, SEEK_SET) != offset) {
+diff --git a/libclamav/special.h b/libclamav/special.h
+index 69aeeb9..de0d3ad 100644
+--- a/libclamav/special.h
++++ b/libclamav/special.h
+@@ -20,8 +20,10 @@
+ #ifndef __SPECIAL_H
+ #define __SPECIAL_H
+ 
++#include "others.h"
++
+ int cli_check_mydoom_log(int desc, const char **virname);
+-int cli_check_jpeg_exploit(int fd);
++int cli_check_jpeg_exploit(int fd, cli_ctx *ctx);
+ int cli_check_riff_exploit(int fd);
+ 
+ #endif
-- 
Debian repository for ClamAV
    
    
More information about the Pkg-clamav-commits
mailing list