Bug#490925: CVE-2008-2713: DoS

[Nico Golde]

Hi Stephen,
* Stephen Gran <[EMAIL PROTECTED]> [2008-07-16 16:39]:
> Just a note for the bug report - I'm a little busy right now with job
> hunting and interviewing and so forth.  If someone wants to NMU either a
> fixed version or the new upstream, that's fine with me.

a debdiff for an NMU is attached and archived on:

http://people.debian.org/~nion/nmu-diff/clamav-0.93.1.dfsg-1_0.93.1.dfsg-1.1.patch

Note that I noticed that there is an infrastructure for 
dpatch but you removed dpatch a few uploads ago and I didn't 
want to reintroduce it for the security upload and thus I 
patched the source code directly.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u clamav-0.93.1.dfsg/debian/changelog clamav-0.93.1.dfsg/debian/changelog
--- clamav-0.93.1.dfsg/debian/changelog
+++ clamav-0.93.1.dfsg/debian/changelog
@@ -1,3 +1,13 @@
+clamav (0.93.1.dfsg-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * This update addresses the following security issue:
+    - CVE-2008-2713: A crafted petite file can trigger an out-of-bound
+      read operation in petite.c resulting in a denial of sevice
+      (Closes: #490925).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Wed, 16 Jul 2008 16:54:49 +0200
+
 clamav (0.93.1.dfsg-1) unstable; urgency=low
 
   * New upstream version
only in patch2:
unchanged:
--- clamav-0.93.1.dfsg.orig/libclamav/petite.c
+++ clamav-0.93.1.dfsg/libclamav/petite.c
@@ -214,8 +214,14 @@
       /* Let's compact data */
       for (t = 0; t < j ; t++) {
 	usects[t].raw = (t>0)?(usects[t-1].raw + usects[t-1].rsz):0;
-	if (usects[t].rsz != 0 && CLI_ISCONTAINED(buf, bufsz, buf + usects[t].raw, usects[t].rsz))
-	  memmove(buf + usects[t].raw, adjbuf + usects[t].rva, usects[t].rsz);
+	if (usects[t].rsz != 0)
+		if(CLI_ISCONTAINED(buf, bufsz, buf + usects[t].raw, usects[t].rsz)) {
+			memmove(buf + usects[t].raw, adjbuf + usects[t].rva, usects[t].rsz);
+		} else {
+			cli_dbgmsg("Petite: Skipping section %d, Raw: %x, RSize:%x\n", t, usects[t].raw, usects[t].rsz);
+			usects[t].raw = t>0 ? usects[t-1].raw : 0;
+			usects[t].rsz = 0;
+		}
       }
 
       /* Showtime!!! */

pgpuuMyug6i1M.pgp
Description: PGP signature