Bug 47474 - clamav: Multiple issues (4.2)
clamav: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-4-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-07 23:54 CEST by Quality Assurance
Modified: 2018-08-15 16:19 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-08-07 23:54:08 CEST
New Debian clamav 0.100.0+dfsg-0+deb8u1A~4.2.4.201808071712 fixes:
This update addresses the following issue(s):
* 
* ClamAV (aka Clam AntiVirus) before 0.99.2 allows remote attackers to cause a denial of service (application crash) via a crafted mew packer executable. (CVE-2016-1371)
* ClamAV (aka Clam AntiVirus) before 0.99.2 allows remote attackers to cause a denial of service (application crash) via a crafted 7z file. (CVE-2016-1372)
* libclamav/message.c in ClamAV 0.99.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted e-mail message. (CVE-2017-6418)
* mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. (CVE-2017-6419)
* The wwunpack function in libclamav/wwunpack.c in ClamAV 0.99.2 allows remote attackers to cause a denial of service (use-after-free) via a crafted PE file with WWPack compression. (CVE-2017-6420)
* The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file. (CVE-2017-11423)
* The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing operations (mbox.c operations on bounce messages). If successfully exploited, the ClamAV software could allow a variable pointing to the mail body which could cause a used after being free (use-after-free) instance which may lead to a disruption of services on an affected device to include a denial of service condition. (CVE-2017-12374)
* The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing functions (the rfc2047 function in mbox.c). An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition on an affected device. (CVE-2017-12375)
* ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause a handle_pdfname (in pdf.c) buffer overflow when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code. (CVE-2017-12376)
* ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms in mew packet files sent to an affected device. A successful exploit could cause a heap-based buffer over-read condition in mew.c when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code on the affected device. (CVE-2017-12377)
* ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms of .tar (Tape Archive) files sent to an affected device. A successful exploit could cause a checksum buffer over-read condition when ClamAV scans the malicious .tar file, potentially allowing the attacker to cause a DoS condition on the affected device. (CVE-2017-12378)
* ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms in the message parsing function on an affected system. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a messageAddArgument (in message.c) buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition or execute arbitrary code on an affected device. (CVE-2017-12379)
* ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms in mbox.c during certain mail parsing functions of the ClamAV software. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. An exploit could trigger a NULL pointer dereference condition when ClamAV scans the malicious email, which may result in a DoS condition. (CVE-2017-12380)
* clamscan in ClamAV before 0.99.4 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause an out-of-bounds read when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition. This concerns pdf_parse_array and pdf_parse_string in libclamav/pdfng.c. Cisco Bug IDs: CSCvh91380, CSCvh91400. (CVE-2018-0202)
CVE_2018-0360 is open
CVE_2018-0361 is open
* ClamAV version version 0.99.3 contains a Out of bounds heap memory read vulnerability in XAR parser, function xar_hash_check() that can result in Leaking of memory, may help in developing exploit chains.. This attack appear to be exploitable via The victim must scan a crafted XAR file. This vulnerability appears to have been fixed in after commit d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6. (CVE-2018-1000085)

0.100.0+dfsg-0+deb8u1 (Wed, 25 Apr 2018 21:58:31 +0200)
  [ Sebastian Andrzej Siewior ]
  * New upstream release.
    - remove various documentation files including Changelog from the file
      list because they are no longer included in upstream archive.
    - update symbol file
  * Don't replace config file with sample config after debconf gets disabled
    (in milter and daemon.
  * Add bytecode.c(l|v)d to log clamav-freshclam.logcheck.ignore.server. Patch
     by Václav Ovsík <vaclav.ovsik@gmail.com>.
  * Disable the freshclam service if changed to `manual' mode so it does not
    start again after system reboot with systemd.
  * Drop "demime = *" from Debian.README for clamav, this option is deprecated
    and will be removed from exim.
  * Point Vcs-* tags to salsa.
  [ Scott Kitterman ]
  * Update README.Debian to describe how to disable apparmor for clamav-daemon
    and clamav-freshclam

0.99.4+dfsg-1+deb8u1 (Sat, 03 Mar 2018 13:54:29 +0100)
  * Update to upstream 0.99.4:
    Fixes for CVE: CVE-2018-1000085, CVE-2018-0202.
  * Update the gpg signing key (the old DSA expired).
  * Update version of private symbols due to version change.
  * Bump symbol version of cl_retflevel because CL_FLEVEL changed.

0.99.2+dfsg-0+deb8u3 (Sat, 27 Jan 2018 01:29:24 +0100)
  * Apply security patches from 0.99.3:
    - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
      CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
      CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
  * Cherry-pick patch from bb11549 to fix a temp file cleanup issue
.

0.99.2+dfsg-0+deb8u2 (Mon, 06 Jun 2016 22:06:52 +0200)
  * Don't fail if AllowSupplementaryGroups is still set in the config file but
    ignore it and continue.

0.99.2+dfsg-0+deb8u1 (Thu, 19 May 2016 18:37:56 +0200)
  * Import new Upstream.
  * Drop AllowSupplementaryGroups option which is default now
  * Let the LSB init script have more consistent output. Patch by Guillem
    Jover.
  * Ensure the users of PRIVATE symbols (clamd + freshclam) do not fall
    behind a upstream version.
  * also remove bytecode.cld on purge
* CVE-2017-6419 libmspack, clamav: heap-based buffer overflow in mspack/lzxd.c (CVE-2017-6419)
* CVE-2017-11423 libmspack, clamav: Stack-based buffer over-read in cabd_read_string function (CVE-2017-11423)
Comment 1 Philipp Hahn univentionstaff 2018-08-13 11:12:59 CEST
Debian Old-Stabel (Jessie) still only has 0.100.0; I tool clamav-0.100.1 + debian-0.100.0 + debian-0.100.1.diff to create a custom version for UCS.

/home/phahn/REPOS/repo-ng/tools/repo_admin.py -F -p clamav -r 4.2-0-0 -s errata4.2-4 --comment 'clamav-0.100.1 + deb8-0.100.0 + deb9-0.100.1.diff'

r18254 | Bug #47474: clamav-0.100.1
 Update patches to apply to new upstream version
r18255 | Bug #47474: clamav-0.100.1
 Drop 025-CVE-2017-xxx.patch as they were cherry-picked from 0.99.3, which are included in 0.100.1

Package: clamav
Version: 0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059
Branch: ucs_4.2-0
Scope: errata4.2-4

[4.2-4] 957ceef5ca Bug #47474: clamav 0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059
 doc/errata/staging/clamav.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)
Comment 2 Philipp Hahn univentionstaff 2018-08-13 11:17:08 CEST
The version for errata4.2-4 is newer then the version in ucs4.3-0, but older than for errata4.3-1:
<http://xen1.knut.univention.de:8000/packages/source/clamav/?since=4.2>
Anybody updating from 4.2-4 to 4.3 should continue to 4.3-1 and will stay with the fixed version from errata4.2-4 until errata4.3-1 is passed.
Comment 3 Quality Assurance univentionstaff 2018-08-13 11:24:29 CEST
--- mirror/ftp/4.2/unmaintained/4.2-4/source/clamav_0.99.2+dfsg-0.A~4.2.3.201801281200.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/clamav_0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059.dsc
@@ -1,10 +1,57 @@
-0.99.2+dfsg-0.A~4.2.3.201801281200 [Sun, 28 Jan 2018 12:04:08 +0100] Univention builddaemon <buildd@univention.de>:
+0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059 [Mon, 13 Aug 2018 10:59:23 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     010-utilize_ucr_autostart_settings
     020-dont_fail_in_postinst_if_start_fails
-    025-CVE-2017-xxx
     030-silence-version-msg
+
+0.100.1+dfsg-0+deb8u0 [Mon, 13 Aug 2018 10:02:25 +0200] Philipp Hahn <hahn@univention.de>:
+
+  [ Scott Kitterman ]
+  * Only create clamav user during clamav-base install if it does not exist
+    (LP: #121872)
+    - Thanks to Shane Williams for the patch
+
+  [ Sebastian Andrzej Siewior ]
+  * Bump symbol version due to new version.
+  * Add read permission for freshclam on /var/log in the apparmor profile.
+    Thanks to Robie Basak (Closes: #902601).
+
+  [ Philipp Hahn ]
+  * NMU.
+  * New upstrem relase (0.100.1)
+    - CVE-2018-0360 (HWP integer overflow, infinite loop vulnerabi)
+    - CVE-2018-0361 (ClamAV PDF object length check, unreasonably long time to
+      parse relatively small file)
+
+0.100.0+dfsg-0+deb8u1 [Wed, 25 Apr 2018 21:58:31 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  [ Sebastian Andrzej Siewior ]
+  * New upstream release.
+    - remove various documentation files including Changelog from the file
+      list because they are no longer included in upstream archive.
+    - update symbol file
+  * Don't replace config file with sample config after debconf gets disabled
+    (in milter and daemon (Closes: #870253).
+  * Add bytecode.c(l|v)d to log clamav-freshclam.logcheck.ignore.server. Patch
+     by Václav Ovsík <vaclav.ovsik@gmail.com> (Closes: #868766).
+  * Disable the freshclam service if changed to `manual' mode so it does not
+    start again after system reboot with systemd (Closes: #881780).
+  * Drop "demime = *" from Debian.README for clamav, this option is deprecated
+    and will be removed from exim (Closes: #881634).
+  * Point Vcs-* tags to salsa.
+
+  [ Scott Kitterman ]
+  * Update README.Debian to describe how to disable apparmor for clamav-daemon
+    and clamav-freshclam (Closes: #884707)
+
+0.99.4+dfsg-1+deb8u1 [Sat, 03 Mar 2018 13:54:29 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Update to upstream 0.99.4:
+    Fixes for CVE: CVE-2018-1000085, CVE-2018-0202.
+  * Update the gpg signing key (the old DSA expired).
+  * Update version of private symbols due to version change.
+  * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
 
 0.99.2+dfsg-0+deb8u3 [Sat, 27 Jan 2018 01:29:24 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 

<http://10.200.17.11/4.2-4/#5793810030417095322>
Comment 4 Philipp Hahn univentionstaff 2018-08-13 11:27:45 CEST
@Arvid: As I have manually created the package, please have a short look, too.
Comment 5 Arvid Requate univentionstaff 2018-08-13 20:34:09 CEST
Verified:

* dropped SVN patches 025-CVE-2017-xxx.patch are included (0.99.2+dfsg-0+deb8u3)
* Package diffs (debian and upstream): Ok
* ucs-test/40_mail/02virus00basic  still worked
* freshclam works:
--------------------------------------
ERROR: Can't save PID to file /var/run/clamav/freshclam.pid: Permission denied
freshclam daemon 0.100.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
ClamAV update process started at Mon Aug 13 20:19:04 2018
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily-24839.cdiff [100%]
daily.cld updated (version: 24839, sigs: 2047282, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
Database updated (6613622 signatures) from db.local.clamav.net (IP: 104.16.186.138)
Clamd successfully notified about the update.
--------------------------------------
* Advisory: Ok (Minor wording fix: 6fd42bfe8e)
Comment 6 Arvid Requate univentionstaff 2018-08-15 16:19:30 CEST
<http://errata.software-univention.de/ucs/4.2/442.html>