On 2/5/20 10:29 AM, Joel Esler (jesler) wrote: > >> https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html > > Today, we're publishing 0.102.2. Navigate to ClamAV's downloads > <http://www.clamav.net/downloads> page to download the release materials. > > > 0.102.2 > > ClamAV 0.102.2 is a security patch release to address the following issues. > > * CVE-2020-3123 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123>: A > denial-of-service (DoS) condition may occur when using the optional credit > card data-loss-prevention (DLP) feature. Improper bounds checking of an > unsigned variable resulted in an out-of-bounds read, which causes a crash.
What's the status of the 0.101.X branch now? Is it dead or will it receive a
fix for this? The changes in 0.102 are somewhat problematic to release to old
stable OSes like RHEL7 so an active 0.101.X branch that receives security
updates and important bug fixes would be greatly appreciated.
Otherwise, it looks like this:
commit 7f9fc68e1cf8878320a1b0ce828b80b860436695
Author: Micah Snyder (micasnyd) <micas...@cisco.com>
Date: Wed Jan 22 17:57:07 2020 -0800
bb12449: Fix for out-of-bounds read in DLP feature
An integer overflow causes an out-of-bounds read that results in
a crash. The crash may occur when using the optional
Data-Loss-Prevention (DLP) feature to block content that contains credit
card numbers. This commit fixes the issue by using a signed index variable.
diff --git a/libclamav/dlp.c b/libclamav/dlp.c
index 0457e9912..4526461fc 100644
--- a/libclamav/dlp.c
+++ b/libclamav/dlp.c
@@ -176,6 +176,7 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t
length)
int mult = 0;
int sum = 0;
size_t i = 0;
+ ssize_t j = 0;
int val = 0;
int digits = 0;
char cc_digits[20];
@@ -232,9 +233,11 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t
length)
if (digits < 13 || (i < length && isdigit(buffer[i])))
return 0;
+ j = (ssize_t)i;
+
//figure out luhn digits
- for (i = digits - 1; i >= 0; i--) {
- val = cc_digits[i] - '0';
+ for (j = digits - 1; j >= 0; j--) {
+ val = cc_digits[j] - '0';
if (mult) {
if ((val *= 2) > 9) val -= 9;
}
is the fix for the CVE. Can that be confirmed?
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
