[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/etch-security, updated. 594a24f3c0e57e508385e31054db831241cfaa56

Stephen Gran steve at lobefin.net
Fri Sep 5 16:07:45 UTC 2008 

The following commit has been merged in the debian/etch-security branch:
commit 5a2d726d34305c6aa7901918e66b4a1c1c455584
Author: Stephen Gran <steve at lobefin.net>
Date:   Fri Sep 5 16:55:24 2008 +0100

    Incorporate security team's last upload
    Signed-off-by: Stephen Gran <steve at lobefin.net>

diff --git a/debian/changelog b/debian/changelog
index 2d82e55..f8f6311 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,21 @@
-clamav (0.90.1dfsg-3etch12) stable-security; urgency=low
+clamav (0.90.1dfsg-3.1+etch14) stable-security; urgency=high
 
-  * [CVE-2008-2713]: libclamav/petite.c: DoS
+  * Non-maintainer upload by the security team
+  * Reinstate dropped patch for CVE-2008-2713, which was somehow left
+    out of 0.90.1dfsg-3etch13 (Closes: #492252)
 
- -- Stephen Gran <sgran at debian.org>  Mon, 16 Jun 2008 23:01:20 +0100
+ -- Devin Carraway <devin at debian.org>  Thu, 24 Jul 2008 10:02:47 -0700
+
+clamav (0.90.1dfsg-3etch13) stable-security; urgency=high
+
+  * Non-maintainer upload by the security team
+  * Backport upstream fix for CVE-2008-2713, addressing a denial of
+    service vulnerability in the Petite executable unpacker.  A
+    maliciously crafted petite-packed executable could trigger an
+    out-of-bound memory read, resulting in a crash.  Thanks to Stephen
+    Gran for his help identifying the problem.
+
+ -- Devin Carraway <devin at debian.org>  Sat, 19 Jul 2008 06:26:52 +0000
 
 clamav (0.90.1dfsg-3etch11) stable-security; urgency=high
 
diff --git a/debian/patches/00list b/debian/patches/00list
index c84980e..11edb49 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -19,4 +19,4 @@
 41.pe.c.wwpack.overflow.dpatch
 42.pe.c.CVE-2008-1100.dpatch
 43.spin.c.CVE-2008-1387.dpatch
-44.petite.c.Invalid_read.dpatch
+44.petite.c.CVE-2008-2713.dpatch
diff --git a/debian/patches/44.petite.c.CVE-2008-2713.dpatch b/debian/patches/44.petite.c.CVE-2008-2713.dpatch
new file mode 100644
index 0000000..efcd351
--- /dev/null
+++ b/debian/patches/44.petite.c.CVE-2008-2713.dpatch
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 44.petite.c.CVE-2008-2713.dpatch by <devin at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Backport upstream fix for CVE-2008-2713, an invalid memory read
+## DP: triggerable by a malformed Petite-packed win32 executable
+
+ at DPATCH@
+--- clamav-0.93.1.dfsg.orig/libclamav/petite.c
++++ clamav-0.93.1.dfsg/libclamav/petite.c
+@@ -214,8 +214,14 @@
+       /* Let's compact data */
+       for (t = 0; t < j ; t++) {
+ 	usects[t].raw = (t>0)?(usects[t-1].raw + usects[t-1].rsz):0;
+-	if (usects[t].rsz != 0 && CLI_ISCONTAINED(buf, bufsz, buf + usects[t].raw, usects[t].rsz))
+-	  memmove(buf + usects[t].raw, adjbuf + usects[t].rva, usects[t].rsz);
++	if (usects[t].rsz != 0)
++		if(CLI_ISCONTAINED(buf, bufsz, buf + usects[t].raw, usects[t].rsz)) {
++			memmove(buf + usects[t].raw, adjbuf + usects[t].rva, usects[t].rsz);
++		} else {
++			cli_dbgmsg("Petite: Skipping section %d, Raw: %x, RSize:%x\n", t, usects[t].raw, usects[t].rsz);
++			usects[t].raw = t>0 ? usects[t-1].raw : 0;
++			usects[t].rsz = 0;
++		}
+       }
+ 
+       /* Showtime!!! */
diff --git a/debian/patches/44.petite.c.Invalid_read.dpatch b/debian/patches/44.petite.c.Invalid_read.dpatch
deleted file mode 100644
index 9fb4b4a..0000000
--- a/debian/patches/44.petite.c.Invalid_read.dpatch
+++ /dev/null
@@ -1,34 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 44.petite.c.Invalid_read.dpatch
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix read past end of array
-
- at DPATCH@
-diff --git a/libclamav/petite.c b/libclamav/petite.c
-index 9203066..a3d3422 100644
---- a/libclamav/petite.c
-+++ b/libclamav/petite.c
-@@ -313,15 +313,19 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, uint32_t bufsz, struct pe_
-        * (eg the icon): let's fix the rva
-        */
- 
--      if (!check4resources) {
- 	unsigned int q;
- 	for ( q = 0 ; q < sectcount ; q++ ) {
--	  if ( thisrva <= EC32(sections[q].VirtualAddress) || thisrva >= EC32(sections[q].VirtualAddress) + EC32(sections[q].VirtualSize))
-+          if(!CLI_ISCONTAINED(EC32(sections[q].VirtualAddress), EC32(sections[q].VirtualSize), usects[j].rva, usects[j].vsz))
- 	    continue;
-+          if (!check4resources) {
- 	  usects[j].rva = EC32(sections[q].VirtualAddress);
- 	  usects[j].rsz = thisrva - EC32(sections[q].VirtualAddress) + size;
--	  break;
- 	}
-+	break;
-+      }
-+      if (q == sectcount) {
-+       free(usects);
-+       return 1;
-       }
- 
-       /* Increase count of unpacked sections */

-- 
Debian repository for ClamAV

More information about the Pkg-clamav-commits mailing list