diff -Nru clamav-0.99.2+dfsg/debian/changelog clamav-0.99.2+dfsg/debian/changelog --- clamav-0.99.2+dfsg/debian/changelog 2017-02-04 20:54:51.000000000 +0000 +++ clamav-0.99.2+dfsg/debian/changelog 2017-08-15 20:04:46.000000000 +0000 @@ -1,3 +1,35 @@ +clamav (0.99.2+dfsg-6ubuntu2) artful; urgency=medium + + * SECURITY UPDATE: DoS via crafted e-mail message + - debian/patches/CVE-2017-6418.patch: fix invalid read in + libclamav/message.c. + - CVE-2017-6418 + * SECURITY UPDATE: DoS via WWPack compression + - debian/patches/CVE-2017-6420.patch: add bounds checks to + libclamav/wwunpack.c. + - debian/patches/CVE-2017-6420-2.patch: fix unit tests in + libclamav/wwunpack.c, unit_tests/check_jsnorm.c. + - CVE-2017-6420 + * debian/patches/fix_newer_zlib.patch: fix compatibility with zlib + 1.2.9 and newer (LP: #1692073). + + -- Marc Deslauriers Tue, 15 Aug 2017 16:04:46 -0400 + +clamav (0.99.2+dfsg-6ubuntu1) artful; urgency=medium + + * Fix build by forcing llvm 3.9 + (testsuite seems to be failing) + * debian/patches/zlib-check.patch: + - cherry-pick upstream fix for wrong zlib version check + + -- Gianfranco Costamagna Tue, 02 May 2017 11:18:30 +0200 + +clamav (0.99.2+dfsg-6build1) artful; urgency=medium + + * Rebuild against new llvm versioned symbols. + + -- Gianfranco Costamagna Mon, 01 May 2017 22:33:23 +0200 + clamav (0.99.2+dfsg-6) unstable; urgency=medium * Fix detection of curl. Patch by Reiner Herrmann diff -Nru clamav-0.99.2+dfsg/debian/control clamav-0.99.2+dfsg/debian/control --- clamav-0.99.2+dfsg/debian/control 2017-01-30 20:27:31.000000000 +0000 +++ clamav-0.99.2+dfsg/debian/control 2017-08-15 20:04:46.000000000 +0000 @@ -1,7 +1,8 @@ Source: clamav Section: utils Priority: optional -Maintainer: ClamAV Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: ClamAV Team Uploaders: Michael Meskes , Michael Tautschnig , Scott Kitterman , @@ -26,7 +27,7 @@ libsystemd-dev [linux-any], libtfm-dev, libxml2-dev, - llvm-dev [i386 amd64 kfreebsd-amd64 kfreebsd-i386], + llvm-3.9-dev [i386 amd64 kfreebsd-amd64 kfreebsd-i386], perl:native, pkg-config, po-debconf, diff -Nru clamav-0.99.2+dfsg/debian/patches/CVE-2017-6418.patch clamav-0.99.2+dfsg/debian/patches/CVE-2017-6418.patch --- clamav-0.99.2+dfsg/debian/patches/CVE-2017-6418.patch 1970-01-01 00:00:00.000000000 +0000 +++ clamav-0.99.2+dfsg/debian/patches/CVE-2017-6418.patch 2017-08-08 16:54:57.000000000 +0000 @@ -0,0 +1,37 @@ +From 586a5180287262070637c8943f2f7efd652e4a2c Mon Sep 17 00:00:00 2001 +From: Steven Morgan +Date: Thu, 2 Mar 2017 14:41:20 -0500 +Subject: [PATCH] bb11797 - fix invalid read in fuzzed mail file. + +--- + libclamav/message.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +Index: clamav-0.99.2+dfsg/libclamav/message.c +=================================================================== +--- clamav-0.99.2+dfsg.orig/libclamav/message.c 2017-08-08 12:54:55.404004746 -0400 ++++ clamav-0.99.2+dfsg/libclamav/message.c 2017-08-08 12:54:55.400004746 -0400 +@@ -439,8 +439,12 @@ messageAddArgument(message *m, const cha + * FIXME: Bounce message handling is corrupting the in + * core copies of headers + */ +- cli_dbgmsg("Possible data corruption fixed\n"); +- p[8] = '='; ++ if (strlen(p) > 8) { ++ cli_dbgmsg("Possible data corruption fixed\n"); ++ p[8] = '='; ++ } else { ++ cli_dbgmsg("Possible data corruption not fixed\n"); ++ } + } else { + if(*p) + cli_dbgmsg("messageAddArgument, '%s' contains no '='\n", p); +@@ -676,7 +680,7 @@ messageFindArgument(const message *m, co + cli_dbgmsg("messageFindArgument: no '=' sign found in MIME header '%s' (%s)\n", variable, messageGetArgument(m, i)); + return NULL; + } +- if((*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) { ++ if((strlen(ptr) > 2) && (*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) { + /* Remove any quote characters */ + char *ret = cli_strdup(++ptr); + char *p; diff -Nru clamav-0.99.2+dfsg/debian/patches/CVE-2017-6420-2.patch clamav-0.99.2+dfsg/debian/patches/CVE-2017-6420-2.patch --- clamav-0.99.2+dfsg/debian/patches/CVE-2017-6420-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ clamav-0.99.2+dfsg/debian/patches/CVE-2017-6420-2.patch 2017-08-08 19:20:14.000000000 +0000 @@ -0,0 +1,44 @@ +From 60671e3deb1df6c626e5c7e13752c2eec1649f98 Mon Sep 17 00:00:00 2001 +From: Steven Morgan +Date: Wed, 8 Mar 2017 08:58:28 -0500 +Subject: [PATCH] bb11798 - fix unit tests. + +--- + libclamav/wwunpack.c | 9 +++------ + unit_tests/check_jsnorm.c | 2 +- + 2 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c +index 38c18081c..a13550e8f 100644 +--- a/libclamav/wwunpack.c ++++ b/libclamav/wwunpack.c +@@ -226,13 +226,10 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti + return CL_EFORMAT; + exe[pe+6]=(uint8_t)scount; + exe[pe+7]=(uint8_t)(scount>>8); +- if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) || +- !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) || +- !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) { ++ if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4)) + cli_dbgmsg("WWPack: unpack memory address out of bounds.\n"); +- return CL_EFORMAT; +- } +- cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299); ++ else ++ cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299); + cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz); + + structs = &exe[(0xffff&cli_readint32(&exe[pe+0x14]))+pe+0x18]; +diff --git a/unit_tests/check_jsnorm.c b/unit_tests/check_jsnorm.c +index 7515a0c18..9587ea469 100644 +--- a/unit_tests/check_jsnorm.c ++++ b/unit_tests/check_jsnorm.c +@@ -145,7 +145,7 @@ END_TEST + + START_TEST (test_token_dval) + { +- int val = 0.12345; ++ double val = 0.12345; + yystype tok; + memset(&tok, 0, sizeof(tok)); + diff -Nru clamav-0.99.2+dfsg/debian/patches/CVE-2017-6420.patch clamav-0.99.2+dfsg/debian/patches/CVE-2017-6420.patch --- clamav-0.99.2+dfsg/debian/patches/CVE-2017-6420.patch 1970-01-01 00:00:00.000000000 +0000 +++ clamav-0.99.2+dfsg/debian/patches/CVE-2017-6420.patch 2017-08-08 16:55:09.000000000 +0000 @@ -0,0 +1,27 @@ +From dfc00cd3301a42b571454b51a6102eecf58407bc Mon Sep 17 00:00:00 2001 +From: Steven Morgan +Date: Fri, 3 Mar 2017 13:56:28 -0500 +Subject: [PATCH] bb19798 - fix out of bound memory access for crafted wwunpack + file. + +--- + libclamav/wwunpack.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c +index 8611cb604..38c18081c 100644 +--- a/libclamav/wwunpack.c ++++ b/libclamav/wwunpack.c +@@ -226,6 +226,12 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti + return CL_EFORMAT; + exe[pe+6]=(uint8_t)scount; + exe[pe+7]=(uint8_t)(scount>>8); ++ if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) || ++ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) || ++ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) { ++ cli_dbgmsg("WWPack: unpack memory address out of bounds.\n"); ++ return CL_EFORMAT; ++ } + cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299); + cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz); + diff -Nru clamav-0.99.2+dfsg/debian/patches/fix_newer_zlib.patch clamav-0.99.2+dfsg/debian/patches/fix_newer_zlib.patch --- clamav-0.99.2+dfsg/debian/patches/fix_newer_zlib.patch 1970-01-01 00:00:00.000000000 +0000 +++ clamav-0.99.2+dfsg/debian/patches/fix_newer_zlib.patch 2017-08-15 19:47:31.000000000 +0000 @@ -0,0 +1,52 @@ +Description: fix compatibility with zlib 1.2.9 and newer +Author: Marc Deslauriers +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1692073 + +Index: clamav-0.99.2+dfsg/libclamav/bytecode_api.c +=================================================================== +--- clamav-0.99.2+dfsg.orig/libclamav/bytecode_api.c 2017-08-08 15:20:06.651685637 -0400 ++++ clamav-0.99.2+dfsg/libclamav/bytecode_api.c 2017-08-15 15:45:14.645714766 -0400 +@@ -811,8 +811,20 @@ int32_t cli_bcapi_inflate_init(struct cl + cli_dbgmsg("bytecode api: inflate_init: invalid buffers!\n"); + return -1; + } +- memset(&stream, 0, sizeof(stream)); +- ret = inflateInit2(&stream, windowBits); ++ ++ b = cli_realloc(ctx->inflates, sizeof(*ctx->inflates)*n); ++ if (!b) { ++ return -1; ++ } ++ ctx->inflates = b; ++ ctx->ninflates = n; ++ b = &b[n-1]; ++ ++ b->from = from; ++ b->to = to; ++ b->needSync = 0; ++ memset(&b->stream, 0, sizeof(stream)); ++ ret = inflateInit2(&b->stream, windowBits); + switch (ret) { + case Z_MEM_ERROR: + cli_dbgmsg("bytecode api: inflateInit2: out of memory!\n"); +@@ -829,20 +841,6 @@ int32_t cli_bcapi_inflate_init(struct cl + cli_dbgmsg("bytecode api: inflateInit2: unknown error %d\n", ret); + return -1; + } +- +- b = cli_realloc(ctx->inflates, sizeof(*ctx->inflates)*n); +- if (!b) { +- inflateEnd(&stream); +- return -1; +- } +- ctx->inflates = b; +- ctx->ninflates = n; +- b = &b[n-1]; +- +- b->from = from; +- b->to = to; +- b->needSync = 0; +- memcpy(&b->stream, &stream, sizeof(stream)); + return n-1; + } + diff -Nru clamav-0.99.2+dfsg/debian/patches/series clamav-0.99.2+dfsg/debian/patches/series --- clamav-0.99.2+dfsg/debian/patches/series 2017-01-30 20:27:33.000000000 +0000 +++ clamav-0.99.2+dfsg/debian/patches/series 2017-08-15 20:04:37.000000000 +0000 @@ -12,3 +12,8 @@ Add-support-for-LLVM-3.9.patch bb11549-fix-temp-file-cleanup-issue.patch Fix_detection_of_libcurl.patch +zlib-check.patch +CVE-2017-6418.patch +CVE-2017-6420.patch +CVE-2017-6420-2.patch +fix_newer_zlib.patch \ No newline at end of file diff -Nru clamav-0.99.2+dfsg/debian/patches/zlib-check.patch clamav-0.99.2+dfsg/debian/patches/zlib-check.patch --- clamav-0.99.2+dfsg/debian/patches/zlib-check.patch 1970-01-01 00:00:00.000000000 +0000 +++ clamav-0.99.2+dfsg/debian/patches/zlib-check.patch 2017-05-02 09:19:21.000000000 +0000 @@ -0,0 +1,25 @@ +## Description: add some description +## Origin/Author: add some origin or author +## Bug: bug URL +commit f0bcd186190fe6e67b3f0eaaceb7a99aa6a98865 +Author: Steven Morgan +Date: Thu Jan 5 12:30:35 2017 -0500 + + bb111711 - fix zlib version check - patch by Daniel J. Luke. + +diff --git a/m4/reorganization/libs/libz.m4 b/m4/reorganization/libs/libz.m4 +index b5c7414..f7b67ca 100644 +--- a/m4/reorganization/libs/libz.m4 ++++ b/m4/reorganization/libs/libz.m4 +@@ -29,9 +29,9 @@ then + AC_MSG_ERROR([Please install zlib and zlib-devel packages]) + else + +- vuln=`grep "ZLIB_VERSION \"1.2.0" $ZLIB_HOME/include/zlib.h` ++ vuln=`grep "ZLIB_VERSION \"1.2.0\"" $ZLIB_HOME/include/zlib.h` + if test -z "$vuln"; then +- vuln=`grep "ZLIB_VERSION \"1.2.1" $ZLIB_HOME/include/zlib.h` ++ vuln=`grep "ZLIB_VERSION \"1.2.1\"" $ZLIB_HOME/include/zlib.h` + fi + + if test -n "$vuln"; then diff -Nru clamav-0.99.2+dfsg/debian/rules clamav-0.99.2+dfsg/debian/rules --- clamav-0.99.2+dfsg/debian/rules 2017-01-30 20:27:31.000000000 +0000 +++ clamav-0.99.2+dfsg/debian/rules 2017-05-02 09:24:17.000000000 +0000 @@ -30,7 +30,7 @@ ifeq (,$(filter $(DEB_HOST_ARCH), i386 amd64 kfreebsd-amd64 kfreebsd-i386)) export enable_llvm=no else - SYSTEM_LLVM = -with-system-llvm=/usr/bin/llvm-config --with-llvm-linking=dynamic + SYSTEM_LLVM = -with-system-llvm=/usr/bin/llvm-config-3.9 --with-llvm-linking=dynamic endif # Set the configure options: