On 2/6/20 3:23 PM, Orion Poplawski wrote: > On 2/5/20 10:29 AM, Joel Esler (jesler) wrote: >> >>> https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html >> >> Today, we're publishing 0.102.2. Navigate to ClamAV's downloads >> <http://www.clamav.net/downloads> page to download the release materials. >> >> >> 0.102.2 >> >> ClamAV 0.102.2 is a security patch release to address the following issues. >> >> * CVE-2020-3123 >> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123>: A >> denial-of-service (DoS) condition may occur when using the optional >> credit >> card data-loss-prevention (DLP) feature. Improper bounds checking of an >> unsigned variable resulted in an out-of-bounds read, which causes a >> crash. > > What's the status of the 0.101.X branch now? Is it dead or will it receive a > fix for this? The changes in 0.102 are somewhat problematic to release to old > stable OSes like RHEL7 so an active 0.101.X branch that receives security > updates and important bug fixes would be greatly appreciated. > > Otherwise, it looks like this: > > commit 7f9fc68e1cf8878320a1b0ce828b80b860436695 > Author: Micah Snyder (micasnyd) <micas...@cisco.com> > Date: Wed Jan 22 17:57:07 2020 -0800 > > bb12449: Fix for out-of-bounds read in DLP feature > > An integer overflow causes an out-of-bounds read that results in > a crash. The crash may occur when using the optional > Data-Loss-Prevention (DLP) feature to block content that contains credit > card numbers. This commit fixes the issue by using a signed index > variable. > > diff --git a/libclamav/dlp.c b/libclamav/dlp.c > index 0457e9912..4526461fc 100644 > --- a/libclamav/dlp.c > +++ b/libclamav/dlp.c > @@ -176,6 +176,7 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t > length) > int mult = 0; > int sum = 0; > size_t i = 0; > + ssize_t j = 0; > int val = 0; > int digits = 0; > char cc_digits[20]; > @@ -232,9 +233,11 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t > length) > if (digits < 13 || (i < length && isdigit(buffer[i]))) > return 0; > > + j = (ssize_t)i; > + > //figure out luhn digits > - for (i = digits - 1; i >= 0; i--) { > - val = cc_digits[i] - '0'; > + for (j = digits - 1; j >= 0; j--) { > + val = cc_digits[j] - '0'; > if (mult) { > if ((val *= 2) > 9) val -= 9; > } > > is the fix for the CVE. Can that be confirmed? >
After poking around a bit more, it appears that this problem was introduced in 0.102.0 so 0.101.5 is okay because it still uses "int" for i. However, it would still be nice to get confirmation on the status of the 0.101.X branch. Thanks! -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
