From scheidell@secnap.net  Tue Aug  8 10:59:20 2006
Return-Path: <scheidell@secnap.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 28F9916A4DA;
	Tue,  8 Aug 2006 10:59:20 +0000 (UTC)
	(envelope-from scheidell@secnap.net)
Received: from scanner.secnap.net (scanner.secnap.net [204.89.241.63])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D1AF843D45;
	Tue,  8 Aug 2006 10:59:19 +0000 (GMT)
	(envelope-from scheidell@secnap.net)
Received: by scanner.secnap.net (Postfix, from userid 1001)
	id 45AAA137BC0; Tue,  8 Aug 2006 06:59:19 -0400 (EDT)
Message-Id: <20060808105919.45AAA137BC0@scanner.secnap.net>
Date: Tue,  8 Aug 2006 06:59:19 -0400 (EDT)
From: Michael Scheidell <scheidell@secnap.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc: garga@FreeBSD.org
Subject: upgrade to 88.4, possible security issues
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         101649
>Category:       ports
>Synopsis:       upgrade to 88.4, possible security issues
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    garga
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 08 11:00:41 GMT 2006
>Closed-Date:    Tue Aug 08 11:52:37 GMT 2006
>Last-Modified:  Tue Aug 08 11:52:37 GMT 2006
>Originator:     Michael Scheidell
>Release:        FreeBSD 4.11-RELEASE-p16 i386
>Organization:
SECNAP Network Security
>Environment:
System: FreeBSD scanner.secnap.net 4.11-RELEASE-p16 FreeBSD 4.11-RELEASE-p16 #17: Mon Apr 10 13:21:44 EDT 2006 root@scanner.secnap.net:/usr/obj/usr/src/sys/SCANNER i386

>Description:

	Clamav has released version 88.4 in response to reports of DOS
attacks against UPX packer.
From their release notes:
    *   CVE: XXXXXXXXXXXXXXX
    * Status: Critical
    * Vulnerable: ClamAV 0.81 - 0.88.3

A heap overflow vulnerability was discovered in libclamav which could
cause a denial of service or allow the execution of arbitrary code.

The problem is specifically located in the PE file rebuild function used
by the UPX unpacker.

Due to improper validation it is possible to overflow the above memcpy()
beyond the allocated memory block.

The problem has been fixed in 0.88.4. 

>How-To-Repeat:

Relevant code from libclamav/upx.c:

  memcpy(dst, newbuf, foffset);
  *dsize = foffset;
  free(newbuf);

  cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n");
  return 1;

>Fix:

	apply patches, upgrade:
 diff -bBru Makefile.orig Makefile
--- Makefile.orig       Mon Jul  3 08:42:52 2006
+++ Makefile    Mon Aug  7 19:01:20 2006
@@ -6,7 +6,7 @@
 #

 PORTNAME=      clamav
-PORTVERSION=   0.88.3
+PORTVERSION=   0.88.4
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE_EXTENDED}
 MASTER_SITE_SUBDIR=    clamav
 diff -bBru distinfo.orig distinfo
--- distinfo.orig       Mon Jul  3 08:42:52 2006
+++ distinfo    Tue Aug  8 06:40:46 2006
@@ -1,3 +1,3 @@
-MD5 (clamav-0.88.3.tar.gz) = 330206089713e73a44afc7a4d6450225
-SHA256 (clamav-0.88.3.tar.gz) = 26104bca0780ed8eb99f5a08259bf09d55a374572ba1af28e661cae64da5fb84
-SIZE (clamav-0.88.3.tar.gz) = 7154152
+MD5 (clamav-0.88.4.tar.gz) = 7759784aa4506b314e6543e0f2a8587b
+SHA256 (clamav-0.88.4.tar.gz) = a581f2f7c93fac9e7a4caf5c1f15f5e7722a4739aaaa3f07dd9076e1097d157f
+SIZE (clamav-0.88.4.tar.gz) = 7632947


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->garga 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Tue Aug 8 11:39:41 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=101649 
State-Changed-From-To: open->closed 
State-Changed-By: garga 
State-Changed-When: Tue Aug 8 11:52:36 UTC 2006 
State-Changed-Why:  
Already committed. Thanks for contributing! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=101649 
>Unformatted:
