Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 09 Feb 2004 14:50:23 +0100
From:      Oliver Eikemeier <eikemeier@fillmore-labs.com>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        TERAMOTO Masahiro <markun@onohara.to>
Subject:   ports/62586: [SECURITY] security/clamav: trivial DOS attack
Message-ID:  <4027901F.1090105@fillmore-labs.com>
Resent-Message-ID: <200402091400.i19E0XGM038391@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         62586
>Category:       ports
>Synopsis:       [SECURITY] security/clamav: trivial DOS attack
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 09 06:00:33 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Oliver Eikemeier
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
Fillmore Labs - http://www.fillmore-labs.com
>Environment:
System: FreeBSD nuuk.fillmore-labs.com 4.9-STABLE

>Description:

It is trivial to crash clamd using a malformed uuencoded message, resulting in a
denial of service for all programs (e.g. SMTP daemons) relying on clamd running.
The message must only contain one uuencoded line with an illegal line lenght, i.e.
starting with a small letter.

libclamav calculates the line lenght of an uuencoded line by taking the ASCII value
of the first character minus 64 and does an `assert' if the length is not in the
allowed range, effectively terminating the calling program.

>How-To-Repeat:

Save the following file to ~/clamtest.mbox, removing the leading 'X':

XFrom -
X
Xbegin 644 byebye
Xbyebye
Xend

Then do:

# clamscan --mbox -v ~/clamtest.mbox
assertion "(len >= 0) && (len <= 63)" failed: file "message.c", line 887
Abort (core dumped)

or

# clamdscan -v ~/clamtest.mbox; ps ax | grep clam

>Fix:

Add the following in files/patch-libclamav::message.c:

--- libclamav/message.c.orig	Wed Nov  5 11:59:53 2003
+++ libclamav/message.c	Mon Feb  9 13:57:48 2004
@@ -884,7 +884,8 @@
 
 			len = *line++ - ' ';
 
-			assert((len >= 0) && (len <= 63));
+			if (len < 0 || len > 63)
+				break;
 
 			ptr = decode(line, ptr, uudecode, (len & 3) == 0);
 			break;

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4027901F.1090105>