rpms/clamav/FC-6 clamav-0.88.7-bz-515.patch, NONE, 1.1 clamav-0.88.7-CVE-2007-2650.patch, NONE, 1.1 clamav.spec, 1.46, 1.47

Thu May 31 19:10:23 UTC 2007

Author: ensc

Update of /cvs/extras/rpms/clamav/FC-6
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9160/FC-6

Modified Files:
	clamav.spec 
Added Files:
	clamav-0.88.7-bz-515.patch clamav-0.88.7-CVE-2007-2650.patch 
Log Message:
[SECURITY] fixed CVE-2007-2650 (OLE2 list loop) and Clamav bug #515
(broken OOM handling)


clamav-0.88.7-bz-515.patch:

--- NEW FILE clamav-0.88.7-bz-515.patch ---
--- clamav-0.88.7/libclamav/matcher-ac.c.bz-515	2006-06-29 13:11:31.000000000 +0200
+++ clamav-0.88.7/libclamav/matcher-ac.c	2007-05-31 20:49:21.000000000 +0200
@@ -46,7 +46,7 @@
 
 int cli_ac_addpatt(struct cl_node *root, struct cli_ac_patt *pattern)
 {
-	struct cli_ac_node *pos, *next;
+	struct cli_ac_node *pos, *next, **newtable;
 	int i;
 
     if(pattern->length < AC_MIN_LENGTH)
@@ -65,12 +65,15 @@
 	    }
 
 	    root->ac_nodes++;
-	    root->ac_nodetable = (struct cli_ac_node **) cli_realloc(root->ac_nodetable, (root->ac_nodes) * sizeof(struct cli_ac_node *));
-	    if(root->ac_nodetable == NULL) {
-		cli_dbgmsg("Unable to realloc nodetable (%d)\n", (root->ac_nodes) * sizeof(struct cl_node *));
+	    newtable = (struct cli_ac_node **) cli_realloc(root->ac_nodetable, (root->ac_nodes) * sizeof(struct cli_ac_node *));
+	    if(!newtable) {
+		root->ac_nodes--;
+		cli_errmsg("cli_ac_addpatt(): Unable to realloc root->ac_nodetable (%u bytes)\n", (root->ac_nodes) * sizeof(struct cli_matcher *));
+		free(next);
 		return CL_EMEM;
 	    }
-	    root->ac_nodetable[root->ac_nodes - 1] = next;
+	    newtable[root->ac_nodes - 1] = next;
+	    root->ac_nodetable = newtable;
 
 	    pos->trans[((unsigned char) pattern->pattern[i]) & 0xff] = next;
 	}

clamav-0.88.7-CVE-2007-2650.patch:

--- NEW FILE clamav-0.88.7-CVE-2007-2650.patch ---
--- clamav-0.88.7/libclamav/ole2_extract.c.cve-2007-2650	2006-01-05 16:04:38.000000000 +0100
+++ clamav-0.88.7/libclamav/ole2_extract.c	2007-05-31 20:33:14.000000000 +0200
@@ -1,7 +1,7 @@
 /*
  *  Extract component parts of OLE2 files (e.g. MS Office Documents)
  *
- *  Copyright (C) 2004 trog at uncon.org
+ *  Copyright (C) 2004-2007 trog at uncon.org
  *
  *  This code is based on the OpenOffice and libgsf sources.
  *                  
@@ -583,6 +583,7 @@
 	unsigned char *buff;
 	int32_t current_block, ofd, len, offset;
 	char *name, *newname;
+	bitset_t *blk_bitset;
 
 	if (prop->type != 2) {
 		/* Not a file */
@@ -643,14 +644,33 @@
 		close(ofd);
 		return FALSE;
 	}
-
+	
+	blk_bitset = cli_bitset_init();
+	if (!blk_bitset) {
+		cli_errmsg("ERROR [handler_writefile]: init bitset failed\n");
+		close(ofd);
+		return FALSE;
+	}
 	while((current_block >= 0) && (len > 0)) {
+		/* Check we aren't in a loop */
+		if (cli_bitset_test(blk_bitset, (unsigned long) current_block)) {
+			/* Loop in block list */
+			cli_dbgmsg("OLE2: Block list loop detected\n");
+			close(ofd);
+			free(buff);
+			cli_bitset_free(blk_bitset);
+			return FALSE;
+		}
+		if (!cli_bitset_set(blk_bitset, (unsigned long) current_block)) {
+			return FALSE;
+		}			
 		if (prop->size < (int64_t)hdr->sbat_cutoff) {
 			/* Small block file */
 			if (!ole2_get_sbat_data_block(fd, hdr, buff, current_block)) {
 				cli_dbgmsg("ole2_get_sbat_data_block failed\n");
 				close(ofd);
 				free(buff);
+				cli_bitset_free(blk_bitset);
 				return FALSE;
 			}
 			/* buff now contains the block with 8 small blocks in it */
@@ -658,6 +678,7 @@
 			if (cli_writen(ofd, &buff[offset], MIN(len,64)) != MIN(len,64)) {
 				close(ofd);
 				free(buff);
+				cli_bitset_free(blk_bitset);
 				return FALSE;
 			}
 
@@ -668,12 +689,14 @@
 			if (!ole2_read_block(fd, hdr, buff, current_block)) {
 				close(ofd);
 				free(buff);
+				cli_bitset_free(blk_bitset);
 				return FALSE;
 			}
 			if (cli_writen(ofd, buff, MIN(len,(1 << hdr->log2_big_block_size))) !=
 							MIN(len,(1 << hdr->log2_big_block_size))) {
 				close(ofd);
 				free(buff);
+				cli_bitset_free(blk_bitset);
 				return FALSE;
 			}
 
@@ -683,6 +706,7 @@
 	}
 	close(ofd);
 	free(buff);
+	cli_bitset_free(blk_bitset);
 	return TRUE;
 }
 


Index: clamav.spec
===================================================================
RCS file: /cvs/extras/rpms/clamav/FC-6/clamav.spec,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- clamav.spec	20 Feb 2007 07:48:05 -0000	1.46
+++ clamav.spec	31 May 2007 19:09:41 -0000	1.47
@@ -19,7 +19,7 @@
 Summary:	End-user tools for the Clam Antivirus scanner
 Name:		clamav
 Version:	0.88.7
-Release:	%release_func 2
+Release:	%release_func 3
 
 License:	GPL
 Group:		Applications/File
@@ -42,6 +42,8 @@
 Patch50:	clamav-0.88.7-CVE-2007-0897.patch
 Patch51:	clamav-0.88.7-CVE-2007-0898.patch
 Patch52:	clamav-0.88.7-CVE-2007-0899.patch
+Patch53:	clamav-0.88.7-CVE-2007-2650.patch
+Patch54:	clamav-0.88.7-bz-515.patch
 BuildRoot:	%_tmppath/%name-%version-%release-root
 Requires:	clamav-lib = %version-%release
 Requires:	data(clamav)
@@ -186,6 +188,8 @@
 %patch50 -p1 -b .cve-2007-0897
 %patch51 -p1 -b .cve-2007-0898
 %patch52 -p1 -b .cve-2007-0899
+%patch53 -p1 -b .cve-2007-2650
+%patch54 -p1 -b .bz-515
 
 %patch0  -p1 -b '.guys,please-read-the-compiler-warnings-before-doing-a-release.patch'
 %patch1  -p1 -b .strncpy
@@ -455,6 +459,10 @@
 
 
 %changelog
+* Thu May 31 2007 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.88.7-3
+- [SECURITY] fixed CVE-2007-2650 (OLE2 list loop) and Clamav bug #515
+  (broken OOM handling)
+
 * Tue Feb 20 2007 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.88.7-2
 - [SECURITY]: imported Debian patches to fix CVE-2007-0897 (CAB
   file DOS), CVE-2007-0898 (Directory traversal vulnerability) and


