Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. devel
ClamAV® blog: ClamAV 0.102.2 security patch released
jesler at cisco
Feb 5, 2020, 9:29 AM
Post #1 of 4 (808 views)
Permalink
https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html

Today, we're publishing 0.102.2. Navigate to ClamAV's downloads<http://www.clamav.net/downloads> page to download the release materials.
0.102.2
ClamAV 0.102.2 is a security patch release to address the following issues.

* CVE-2020-3123<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123>: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.
* Significantly improved the scan speed of PDF files on Windows.
* Re-applied a fix to alleviate file access issues when scanning RAR files in downstream projects that use libclamav where the scanning engine is operating in a low-privilege process. This bug was originally fixed in 0.101.2 and the fix was mistakenly omitted from 0.102.0.
* Fixed an issue where freshclam failed to update if the database version downloaded is one version older than advertised. This situation may occur after a new database version is published. The issue affected users downloading the whole CVD database file.
* Changed the default freshclam ReceiveTimeout setting to 0 (infinite). The ReceiveTimeout had caused needless database update failures for users with slower internet connections.
* Correctly display the number of kilobytes (KiB) in progress bar and reduced the size of the progress bar to accommodate 80-character width terminals.
* Fixed an issue where running freshclam manually causes a daemonized freshclam process to fail when it updates because the manual instance deletes the temporary download directory. The freshclam temporary files will now download to a unique directory created at the time of an update instead of using a hardcoded directory created/destroyed at the program start/exit.
* Fix for freshclam's OnOutdatedExecute config option.
* Fixes a memory leak in the error condition handling for the email parser.
* Improved bound checking and error handling in ARJ archive parser.
* Improved error handling in PDF parser.
* Fix for memory leak in byte-compare signature handler.
* Updates to the unit test suite to support libcheck 0.13.
* Updates to support autoconf 2.69 and automake 1.15.

Special thanks to the following people for code contributions and bug reports:


* Antoine Deschênes
* Eric Lindblad
* Gianluigi Tiesi
* Tuomo Soini

Please join us on the ClamAV mailing lists<https://www.clamav.net/contact#ml> for further discussion. Thanks!
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [Clamav-announce] ClamAV® blog: ClamAV 0.102.2 security patch released [ In reply to ]
orion at nwra
Feb 6, 2020, 2:23 PM
Post #2 of 4 (804 views)
Permalink
On 2/5/20 10:29 AM, Joel Esler (jesler) wrote:
>
>> https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html
>
> Today, we're publishing 0.102.2. Navigate to ClamAV's downloads
> <http://www.clamav.net/downloads> page to download the release materials.
>
>
> 0.102.2
>
> ClamAV 0.102.2 is a security patch release to address the following issues.
>
> * CVE-2020-3123
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123>: A
> denial-of-service (DoS) condition may occur when using the optional credit
> card data-loss-prevention (DLP) feature. Improper bounds checking of an
> unsigned variable resulted in an out-of-bounds read, which causes a crash.

What's the status of the 0.101.X branch now? Is it dead or will it receive a
fix for this? The changes in 0.102 are somewhat problematic to release to old
stable OSes like RHEL7 so an active 0.101.X branch that receives security
updates and important bug fixes would be greatly appreciated.

Otherwise, it looks like this:

commit 7f9fc68e1cf8878320a1b0ce828b80b860436695
Author: Micah Snyder (micasnyd) <micasnyd@cisco.com>
Date: Wed Jan 22 17:57:07 2020 -0800

bb12449: Fix for out-of-bounds read in DLP feature

An integer overflow causes an out-of-bounds read that results in
a crash. The crash may occur when using the optional
Data-Loss-Prevention (DLP) feature to block content that contains credit
card numbers. This commit fixes the issue by using a signed index variable.

diff --git a/libclamav/dlp.c b/libclamav/dlp.c
index 0457e9912..4526461fc 100644
--- a/libclamav/dlp.c
+++ b/libclamav/dlp.c
@@ -176,6 +176,7 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t
length)
int mult = 0;
int sum = 0;
size_t i = 0;
+ ssize_t j = 0;
int val = 0;
int digits = 0;
char cc_digits[20];
@@ -232,9 +233,11 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t
length)
if (digits < 13 || (i < length && isdigit(buffer[i])))
return 0;

+ j = (ssize_t)i;
+
//figure out luhn digits
- for (i = digits - 1; i >= 0; i--) {
- val = cc_digits[i] - '0';
+ for (j = digits - 1; j >= 0; j--) {
+ val = cc_digits[j] - '0';
if (mult) {
if ((val *= 2) > 9) val -= 9;
}

is the fix for the CVE. Can that be confirmed?

--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/

Attached Files:

Re: [Clamav-announce] ClamAV® blog: ClamAV 0.102.2 security patch released [ In reply to ]
orion at nwra
Feb 6, 2020, 2:34 PM
Post #3 of 4 (804 views)
Permalink
On 2/6/20 3:23 PM, Orion Poplawski wrote:
> On 2/5/20 10:29 AM, Joel Esler (jesler) wrote:
>>
>>> https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html
>>
>> Today, we're publishing 0.102.2. Navigate to ClamAV's downloads
>> <http://www.clamav.net/downloads> page to download the release materials.
>>
>>
>> 0.102.2
>>
>> ClamAV 0.102.2 is a security patch release to address the following issues.
>>
>> * CVE-2020-3123
>> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123>: A
>> denial-of-service (DoS) condition may occur when using the optional credit
>> card data-loss-prevention (DLP) feature. Improper bounds checking of an
>> unsigned variable resulted in an out-of-bounds read, which causes a crash.
>
> What's the status of the 0.101.X branch now? Is it dead or will it receive a
> fix for this? The changes in 0.102 are somewhat problematic to release to old
> stable OSes like RHEL7 so an active 0.101.X branch that receives security
> updates and important bug fixes would be greatly appreciated.
>
> Otherwise, it looks like this:
>
> commit 7f9fc68e1cf8878320a1b0ce828b80b860436695
> Author: Micah Snyder (micasnyd) <micasnyd@cisco.com>
> Date: Wed Jan 22 17:57:07 2020 -0800
>
> bb12449: Fix for out-of-bounds read in DLP feature
>
> An integer overflow causes an out-of-bounds read that results in
> a crash. The crash may occur when using the optional
> Data-Loss-Prevention (DLP) feature to block content that contains credit
> card numbers. This commit fixes the issue by using a signed index variable.
>
> diff --git a/libclamav/dlp.c b/libclamav/dlp.c
> index 0457e9912..4526461fc 100644
> --- a/libclamav/dlp.c
> +++ b/libclamav/dlp.c
> @@ -176,6 +176,7 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t
> length)
> int mult = 0;
> int sum = 0;
> size_t i = 0;
> + ssize_t j = 0;
> int val = 0;
> int digits = 0;
> char cc_digits[20];
> @@ -232,9 +233,11 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t
> length)
> if (digits < 13 || (i < length && isdigit(buffer[i])))
> return 0;
>
> + j = (ssize_t)i;
> +
> //figure out luhn digits
> - for (i = digits - 1; i >= 0; i--) {
> - val = cc_digits[i] - '0';
> + for (j = digits - 1; j >= 0; j--) {
> + val = cc_digits[j] - '0';
> if (mult) {
> if ((val *= 2) > 9) val -= 9;
> }
>
> is the fix for the CVE. Can that be confirmed?
>

After poking around a bit more, it appears that this problem was introduced in
0.102.0 so 0.101.5 is okay because it still uses "int" for i. However, it
would still be nice to get confirmation on the status of the 0.101.X branch.
Thanks!

--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/

Attached Files:

Re: [Clamav-announce] ClamAV® blog: ClamAV 0.102.2 security patch released [ In reply to ]
tis at foobar
Feb 9, 2020, 7:13 AM
Post #4 of 4 (798 views)
Permalink
On Thu, 6 Feb 2020 15:34:16 -0700
Orion Poplawski <orion@nwra.com> wrote:

> > What's the status of the 0.101.X branch now? Is it dead or will it
> > receive a fix for this? The changes in 0.102 are somewhat
> > problematic to release to old stable OSes like RHEL7 so an active
> > 0.101.X branch that receives security updates and important bug
> > fixes would be greatly appreciated.

Check https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123

It clearly states that only versions 0.102.1 and 0.102.0 are affected.

--
Tuomo Soini <tis@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal