From owner-freebsd-ports@FreeBSD.ORG Wed Feb 18 06:26:42 2004 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABA8416A4CE; Wed, 18 Feb 2004 06:26:42 -0800 (PST) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 853BD43D1D; Wed, 18 Feb 2004 06:26:42 -0800 (PST) (envelope-from veldy@veldy.net) Received: from veldy.net (fuggle.veldy.net [209.98.200.33]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id 835A281BD; Wed, 18 Feb 2004 08:26:41 -0600 (CST) Received: from localhost (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with ESMTP id 1098D1CC65; Wed, 18 Feb 2004 08:26:41 -0600 (CST) Received: from veldy.net ([127.0.0.1]) by localhost (fuggle.veldy.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 74971-07; Wed, 18 Feb 2004 08:26:38 -0600 (CST) Received: from veldy.net (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with ESMTP id 7C6A51CC61; Wed, 18 Feb 2004 08:26:37 -0600 (CST) Message-ID: <40337619.1050504@veldy.net> Date: Wed, 18 Feb 2004 08:26:33 -0600 From: "Thomas T. Veldhouse" User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org X-Enigmail-Version: 0.83.3.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig227DDCDF225DD1782EFFE0AF" X-Virus-Scanned: by amavisd-new at veldy.net Subject: [Fwd: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2004 14:26:42 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig227DDCDF225DD1782EFFE0AF Content-Type: multipart/mixed; boundary="------------040800090305080004070700" This is a multi-part message in MIME format. --------------040800090305080004070700 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Attached is a security alert from Gentoo pertaining to clam antivirus. It seems that as of this morning, FreeBSD's ports still contain the affected version. Thank in advance, Tom Veldhouse --------------040800090305080004070700 Content-Type: message/rfc822; name="[gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="[gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability" Return-Path: X-Original-To: veldy@veldy.net Delivered-To: veldy@veldy.net Received: from localhost (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with ESMTP id 1C1F21CC65 for ; Wed, 18 Feb 2004 07:18:35 -0600 (CST) Received: from veldy.net ([127.0.0.1]) by localhost (fuggle.veldy.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67893-01 for ; Wed, 18 Feb 2004 07:18:32 -0600 (CST) Received: from eagle.gentoo.org (eagle.gentoo.oregonstate.edu [128.193.0.34]) by veldy.net (Postfix) with ESMTP id ED2B71CC61 for ; Wed, 18 Feb 2004 07:18:31 -0600 (CST) Received: (qmail 10970 invoked by uid 50004); 18 Feb 2004 13:17:09 +0000 Mailing-List: contact gentoo-announce-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@gentoo.org Delivered-To: mailing list gentoo-announce@lists.gentoo.org Delivered-To: moderator for gentoo-announce@lists.gentoo.org Received: (qmail 15384 invoked from network); 18 Feb 2004 13:16:32 +0000 Message-ID: <403365AD.4030809@gentoo.org> Date: Wed, 18 Feb 2004 13:16:29 +0000 From: Tim Yamin User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040212 X-Accept-Language: en-us, en MIME-Version: 1.0 To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, security-alerts@linuxsecurity.com, gentoo-core@lists.gentoo.org, gentoo-announce@lists.gentoo.org X-Enigmail-Version: 0.83.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 Feb 2004 13:16:30.0295 (UTC) FILETIME=[6C024E70:01C3F621] Subject: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability X-Virus-Scanned: by amavisd-new at veldy.net X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on fuggle.veldy.net X-Spam-Status: No, hits=-2.3 required=4.0 tests=BAYES_00,SUSPICIOUS_RECIPS autolearn=no version=2.61 X-Spam-Level: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200402-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ http://security.gentoo.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ Severity: Normal ~ Title: Clamav 0.65 DoS vulnerability ~ Date: February 11, 2004 ~ Bugs: #41248 ~ ID: 200402-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Oliver Eikemeier has reported a vulnerability in clamav, which can be exploited by a malformed uuencoded message causing a denial of service for programs that rely on the clamav daemon, such as SMTP daemons. Background ========== Clam AntiVirus is a GPLed anti-virus toolkit, designed for integration with mail servers to perform attachment scanning. Clam AV also provides a command line scanner and a tool for fetching updates of the virus database. Description =========== Oliver Eikemeier of Fillmore Labs discovered the overflow in Clam AV 0.65 when it handled malformed UUEncoded messages, causing the daemon to shut down. The problem originated in libclamav which calculates the line length of an uuencoded message by taking the ASCII value of the first character minus 64 while doing an assertion if the length is not in the allowed range, effectively terminating the calling program as clamav would not be available. Impact ====== A malformed message such as the one below would cause a denial of service, and depending on the server configuration this may impact other daemons relying on Clam AV in a fatal manner. To exploit the vulnerability, you can add the following [ excluding the two lines ] to ~/clamtest.mbox: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~From - begin 644 byebye byebye end - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Then do "clamscan --mbox -v ~/clamtest.mbox" or "clamdscan -v ~/clamtest.mbox; ps ax | grep clam": the former will cause an assertion and a segmentation fault, the latter would cause the daemon to shut down. Workaround ========== There is no immediate workaround, a software upgrade is required. Resolution ========== All users are urged to upgrade their Clam AV installations to Clam AV 0.67: ~ # emerge sync ~ # emerge -pv ">=net-mail/clamav-0.6.7" ~ # emerge ">=net-mail/clamav-0.6.7" Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAM2WoMMXbAy2b2EIRAs5AAKCdFwwNjAn9N+/XWItkTlOS+RmFzQCg527H biZdE9YEL8aD1XsF3VnAesM= =vvEP -----END PGP SIGNATURE----- --------------040800090305080004070700-- --------------enig227DDCDF225DD1782EFFE0AF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAM3YcARgTFXYf0wARAnisAJ9oYhaJw4L2yhhqcLWXSLOCfUDAywCghkB3 zMiGGQJLRJwJAcn8PZkJdJg= =ZmTs -----END PGP SIGNATURE----- --------------enig227DDCDF225DD1782EFFE0AF--