From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Feb 9 06:00:34 2004 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A882A16AAD2 for ; Mon, 9 Feb 2004 06:00:34 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0361B43D41 for ; Mon, 9 Feb 2004 06:00:34 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i19E0Xbv038392 for ; Mon, 9 Feb 2004 06:00:33 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i19E0XGM038391; Mon, 9 Feb 2004 06:00:33 -0800 (PST) (envelope-from gnats) Resent-Date: Mon, 9 Feb 2004 06:00:33 -0800 (PST) Resent-Message-Id: <200402091400.i19E0XGM038391@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Oliver Eikemeier Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3961916A960 for ; Mon, 9 Feb 2004 05:50:35 -0800 (PST) Received: from postman.arcor.de (postman2.arcor-online.net [151.189.0.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACF4C43D1D for ; Mon, 9 Feb 2004 05:50:34 -0800 (PST) (envelope-from eikemeier@fillmore-labs.com) Received: from fillmore.dyndns.org (port-212-202-184-227.reverse.qdsl-home.de [212.202.184.227]) (authenticated bits=0)i19DoQf5026017 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 9 Feb 2004 14:50:31 +0100 (MET) Received: from [172.16.0.2] (helo=fillmore-labs.com) by fillmore.dyndns.org with esmtp (Exim 4.30; FreeBSD) id 1AqBnt-0000Pr-S2; Mon, 09 Feb 2004 14:50:25 +0100 Message-Id: <4027901F.1090105@fillmore-labs.com> Date: Mon, 09 Feb 2004 14:50:23 +0100 From: Oliver Eikemeier To: FreeBSD-gnats-submit@FreeBSD.org cc: TERAMOTO Masahiro Subject: ports/62586: [SECURITY] security/clamav: trivial DOS attack X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 14:00:35 -0000 >Number: 62586 >Category: ports >Synopsis: [SECURITY] security/clamav: trivial DOS attack >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 09 06:00:33 PST 2004 >Closed-Date: >Last-Modified: >Originator: Oliver Eikemeier >Release: FreeBSD 4.9-STABLE i386 >Organization: Fillmore Labs - http://www.fillmore-labs.com >Environment: System: FreeBSD nuuk.fillmore-labs.com 4.9-STABLE >Description: It is trivial to crash clamd using a malformed uuencoded message, resulting in a denial of service for all programs (e.g. SMTP daemons) relying on clamd running. The message must only contain one uuencoded line with an illegal line lenght, i.e. starting with a small letter. libclamav calculates the line lenght of an uuencoded line by taking the ASCII value of the first character minus 64 and does an `assert' if the length is not in the allowed range, effectively terminating the calling program. >How-To-Repeat: Save the following file to ~/clamtest.mbox, removing the leading 'X': XFrom - X Xbegin 644 byebye Xbyebye Xend Then do: # clamscan --mbox -v ~/clamtest.mbox assertion "(len >= 0) && (len <= 63)" failed: file "message.c", line 887 Abort (core dumped) or # clamdscan -v ~/clamtest.mbox; ps ax | grep clam >Fix: Add the following in files/patch-libclamav::message.c: --- libclamav/message.c.orig Wed Nov 5 11:59:53 2003 +++ libclamav/message.c Mon Feb 9 13:57:48 2004 @@ -884,7 +884,8 @@ len = *line++ - ' '; - assert((len >= 0) && (len <= 63)); + if (len < 0 || len > 63) + break; ptr = decode(line, ptr, uudecode, (len & 3) == 0); break; >Release-Note: >Audit-Trail: >Unformatted: