rpms/clamav/FC-6 clamav-0.88.7-bz-515.patch, NONE, 1.1 clamav-0.88.7-CVE-2007-2650.patch, NONE, 1.1 clamav.spec, 1.46, 1.47
Enrico Scholz (ensc)
fedora-extras-commits at redhat.com
Thu May 31 19:10:23 UTC 2007
- Previous message (by thread): rpms/em8300-kmod/FC-6 em8300-kmod.spec,1.27,1.28 kmodtool,1.4,1.5
- Next message (by thread): rpms/clamav/FC-5 clamav-0.88.7-bz-515.patch, NONE, 1.1 clamav-0.88.7-CVE-2007-2650.patch, NONE, 1.1 clamav.spec, 1.41, 1.42
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: ensc
Update of /cvs/extras/rpms/clamav/FC-6
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9160/FC-6
Modified Files:
clamav.spec
Added Files:
clamav-0.88.7-bz-515.patch clamav-0.88.7-CVE-2007-2650.patch
Log Message:
[SECURITY] fixed CVE-2007-2650 (OLE2 list loop) and Clamav bug #515
(broken OOM handling)
clamav-0.88.7-bz-515.patch:
--- NEW FILE clamav-0.88.7-bz-515.patch ---
--- clamav-0.88.7/libclamav/matcher-ac.c.bz-515 2006-06-29 13:11:31.000000000 +0200
+++ clamav-0.88.7/libclamav/matcher-ac.c 2007-05-31 20:49:21.000000000 +0200
@@ -46,7 +46,7 @@
int cli_ac_addpatt(struct cl_node *root, struct cli_ac_patt *pattern)
{
- struct cli_ac_node *pos, *next;
+ struct cli_ac_node *pos, *next, **newtable;
int i;
if(pattern->length < AC_MIN_LENGTH)
@@ -65,12 +65,15 @@
}
root->ac_nodes++;
- root->ac_nodetable = (struct cli_ac_node **) cli_realloc(root->ac_nodetable, (root->ac_nodes) * sizeof(struct cli_ac_node *));
- if(root->ac_nodetable == NULL) {
- cli_dbgmsg("Unable to realloc nodetable (%d)\n", (root->ac_nodes) * sizeof(struct cl_node *));
+ newtable = (struct cli_ac_node **) cli_realloc(root->ac_nodetable, (root->ac_nodes) * sizeof(struct cli_ac_node *));
+ if(!newtable) {
+ root->ac_nodes--;
+ cli_errmsg("cli_ac_addpatt(): Unable to realloc root->ac_nodetable (%u bytes)\n", (root->ac_nodes) * sizeof(struct cli_matcher *));
+ free(next);
return CL_EMEM;
}
- root->ac_nodetable[root->ac_nodes - 1] = next;
+ newtable[root->ac_nodes - 1] = next;
+ root->ac_nodetable = newtable;
pos->trans[((unsigned char) pattern->pattern[i]) & 0xff] = next;
}
clamav-0.88.7-CVE-2007-2650.patch:
--- NEW FILE clamav-0.88.7-CVE-2007-2650.patch ---
--- clamav-0.88.7/libclamav/ole2_extract.c.cve-2007-2650 2006-01-05 16:04:38.000000000 +0100
+++ clamav-0.88.7/libclamav/ole2_extract.c 2007-05-31 20:33:14.000000000 +0200
@@ -1,7 +1,7 @@
/*
* Extract component parts of OLE2 files (e.g. MS Office Documents)
*
- * Copyright (C) 2004 trog at uncon.org
+ * Copyright (C) 2004-2007 trog at uncon.org
*
* This code is based on the OpenOffice and libgsf sources.
*
@@ -583,6 +583,7 @@
unsigned char *buff;
int32_t current_block, ofd, len, offset;
char *name, *newname;
+ bitset_t *blk_bitset;
if (prop->type != 2) {
/* Not a file */
@@ -643,14 +644,33 @@
close(ofd);
return FALSE;
}
-
+
+ blk_bitset = cli_bitset_init();
+ if (!blk_bitset) {
+ cli_errmsg("ERROR [handler_writefile]: init bitset failed\n");
+ close(ofd);
+ return FALSE;
+ }
while((current_block >= 0) && (len > 0)) {
+ /* Check we aren't in a loop */
+ if (cli_bitset_test(blk_bitset, (unsigned long) current_block)) {
+ /* Loop in block list */
+ cli_dbgmsg("OLE2: Block list loop detected\n");
+ close(ofd);
+ free(buff);
+ cli_bitset_free(blk_bitset);
+ return FALSE;
+ }
+ if (!cli_bitset_set(blk_bitset, (unsigned long) current_block)) {
+ return FALSE;
+ }
if (prop->size < (int64_t)hdr->sbat_cutoff) {
/* Small block file */
if (!ole2_get_sbat_data_block(fd, hdr, buff, current_block)) {
cli_dbgmsg("ole2_get_sbat_data_block failed\n");
close(ofd);
free(buff);
+ cli_bitset_free(blk_bitset);
return FALSE;
}
/* buff now contains the block with 8 small blocks in it */
@@ -658,6 +678,7 @@
if (cli_writen(ofd, &buff[offset], MIN(len,64)) != MIN(len,64)) {
close(ofd);
free(buff);
+ cli_bitset_free(blk_bitset);
return FALSE;
}
@@ -668,12 +689,14 @@
if (!ole2_read_block(fd, hdr, buff, current_block)) {
close(ofd);
free(buff);
+ cli_bitset_free(blk_bitset);
return FALSE;
}
if (cli_writen(ofd, buff, MIN(len,(1 << hdr->log2_big_block_size))) !=
MIN(len,(1 << hdr->log2_big_block_size))) {
close(ofd);
free(buff);
+ cli_bitset_free(blk_bitset);
return FALSE;
}
@@ -683,6 +706,7 @@
}
close(ofd);
free(buff);
+ cli_bitset_free(blk_bitset);
return TRUE;
}
Index: clamav.spec
===================================================================
RCS file: /cvs/extras/rpms/clamav/FC-6/clamav.spec,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- clamav.spec 20 Feb 2007 07:48:05 -0000 1.46
+++ clamav.spec 31 May 2007 19:09:41 -0000 1.47
@@ -19,7 +19,7 @@
Summary: End-user tools for the Clam Antivirus scanner
Name: clamav
Version: 0.88.7
-Release: %release_func 2
+Release: %release_func 3
License: GPL
Group: Applications/File
@@ -42,6 +42,8 @@
Patch50: clamav-0.88.7-CVE-2007-0897.patch
Patch51: clamav-0.88.7-CVE-2007-0898.patch
Patch52: clamav-0.88.7-CVE-2007-0899.patch
+Patch53: clamav-0.88.7-CVE-2007-2650.patch
+Patch54: clamav-0.88.7-bz-515.patch
BuildRoot: %_tmppath/%name-%version-%release-root
Requires: clamav-lib = %version-%release
Requires: data(clamav)
@@ -186,6 +188,8 @@
%patch50 -p1 -b .cve-2007-0897
%patch51 -p1 -b .cve-2007-0898
%patch52 -p1 -b .cve-2007-0899
+%patch53 -p1 -b .cve-2007-2650
+%patch54 -p1 -b .bz-515
%patch0 -p1 -b '.guys,please-read-the-compiler-warnings-before-doing-a-release.patch'
%patch1 -p1 -b .strncpy
@@ -455,6 +459,10 @@
%changelog
+* Thu May 31 2007 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.88.7-3
+- [SECURITY] fixed CVE-2007-2650 (OLE2 list loop) and Clamav bug #515
+ (broken OOM handling)
+
* Tue Feb 20 2007 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.88.7-2
- [SECURITY]: imported Debian patches to fix CVE-2007-0897 (CAB
file DOS), CVE-2007-0898 (Directory traversal vulnerability) and
- Previous message (by thread): rpms/em8300-kmod/FC-6 em8300-kmod.spec,1.27,1.28 kmodtool,1.4,1.5
- Next message (by thread): rpms/clamav/FC-5 clamav-0.88.7-bz-515.patch, NONE, 1.1 clamav-0.88.7-CVE-2007-2650.patch, NONE, 1.1 clamav.spec, 1.41, 1.42
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list