Hello,
I've recently recompiled ClamAV because of the vulnerabilities discovered
by Damian Put [http://www.securityfocus.com/archive/1/430405].
After recompiling, I tested the vulnerability using the "crafted_upx.exe"
example provided by Damian. With clamscan, the vulnerability is fixed (it
exits gracefully - no seg fault):
# clamscan --max-space=0 /tmp/crafted_upx.exe
LibClamAV Error: UPX: Too big value of dsize
/tmp/crafted_upx.exe: Unable to allocate memory
----------- SCAN SUMMARY -----------
Known viruses: 48836
Engine version: 0.88.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.25 MB
Time: 1.336 sec (0 m 1 s)
But when I set ArchiveMaxFileSize to 0 (disabled) in clamd.conf, and scan
the same file using clamdscan, it "freezes".. Further investigation shows
a seg fault:
using "strace -s 1000 -f -p <clamd-pid>"
Scan command: "clamdscan /tmp/crafted_upx.exe"
[pid 14675] lseek(8, 179936, SEEK_SET) = 179936
[pid 14675] read(8,
"[EMAIL PROTECTED]",
126) = 126
[pid 14675] write(2, "LibClamAV debug: UPX: Looks like a NRV2D
decompression routine\n", 63) = 63
[pid 14675] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
[pid 14675] time([1144949342]) = 1144949342
[pid 14675] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
[pid 14675] rt_sigprocmask(SIG_SETMASK, NULL, ~[KILL STOP 33], 8) = 0
[pid 14675] rt_sigsuspend(~[KILL STOP RTMIN 33] <unfinished ...>
[pid 14674] <... poll resumed> [{fd=495652900,
events=POLLRDNORM|POLLERR|POLLHUP|0xffffc000}], 1, 2000) = 0
[pid 14674] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
[pid 14674] rt_sigprocmask(SIG_SETMASK, NULL, ~[TRAP KILL STOP 33], 8) = 0
[pid 14674] rt_sigsuspend(~[TRAP KILL STOP RTMIN 33]
Since the libclamav library was updated, I would assume clamdscan would be
fixed too. Is there a chance that clamdscan is vulnerable to this heap
overflow?
Joe
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
