Bug#476694: clamav: CVE-2008-1833 integer overflow leading to heap overflow via crafted wwpack compressed pe binary

Fri, 18 Apr 2008 09:04:46 -0700 

This one time, at band camp, Nico Golde said:
> Hi Moritz,
> * Moritz Muehlenhoff <[EMAIL PROTECTED]> [2008-04-18 16:09]:
> > 
> > Already fixed in etch and unstable (it's the issue referenced as not
> > yet having a CVE ID in the DSA).
> 
> Are you sure? Looking at the source code from the unstable 
> version I still see the affected lines of code:
> 
>     if((DCONF & PE_CONF_WWPACK) && nsections > 1 &&
>        exe_sections[nsections-1].raw>0x2b1 &&
>        vep == exe_sections[nsections - 1].rva &&
>        exe_sections[nsections - 1].rva + exe_sections[nsections - 1].rsz == 
> max &&
>        memcmp(epbuff, "\x53\x55\x8b\xe8\x33\xdb\xeb", 7) == 0 &&
>        memcmp(epbuff+0x68, 
> "\xe8\x00\x00\x00\x00\x58\x2d\x6d\x00\x00\x00\x50\x60\x33\xc9\x50\x58\x50\x50",
>  19) == 0)  {
>         uint32_t headsize=exe_sections[nsections - 1].raw;
>         char *dest, *wwp;
> 
>         for(i = 0 ; i < (unsigned int)nsections-1; i++)
>             if (exe_sections[i].raw<headsize) headsize=exe_sections[i].raw;
> 
>         dsize = max-min+headsize-exe_sections[nsections - 1].rsz;
> 
>         CLI_UNPSIZELIMITS("WWPack", dsize);
> 
>         if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
> 
> How was this fixed?

Arg - you may be right - I see the upack vulnerability fixed in
unstable, but it looks like I may not have gotten the wwpack
vulnerability in the patch.  Sorry - this week has been really bad for
me (I have guests staying and I'm really busy at work, so my
concentration is a bit shot).  It looks like I may also have missed it
for volatile.  Damn.

This appears to be the patch in question:
http://git.debian.org/?p=users/sgran/clamav-devel.git;a=commitdiff;h=65f47ca3711e1bc99970c5eabc0a0598dcd46f26#patch43

I'll apply the patch here, but I'm unlikely to be able to upload to
unstable before Monday night - I'm off for a disconnected weekend in 2
hours, and I'm still at work.  Feel free to NMU, if you like.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        [EMAIL PROTECTED] |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply via email to