| Summary: | clamav new security issue CVE-2013-6497 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | oe, olchal, rverschelde, sysadmin-bugs, thomas, wilcal.int |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/622345/ | ||
| Whiteboard: | MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-32-OK advisory | ||
| Source RPM: | clamav-0.98.4-5.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | Innocuous java script file which causes crash in clamav | ||
|
Description
David Walser
2014-11-19 14:41:52 CET
David Walser
2014-11-19 14:42:00 CET
Whiteboard:
(none) =>
MGA4TOO 0.98.5 has been submitted. Someone needs to submit it to cauldron as well. CC:
(none) =>
oe Thanks Oden! Freeze push request sent for Cauldron. Assigning to QA. Advisory to come later. Packages uploaded for Mageia 3 and Mageia 4: clamav-0.98.5-1.mga3 clamd-0.98.5-1.mga3 clamav-milter-0.98.5-1.mga3 clamav-db-0.98.5-1.mga3 libclamav6-0.98.5-1.mga3 libclamav-devel-0.98.5-1.mga3 clamav-0.98.5-1.mga4 clamd-0.98.5-1.mga4 clamav-milter-0.98.5-1.mga4 clamav-db-0.98.5-1.mga4 libclamav6-0.98.5-1.mga4 libclamav-devel-0.98.5-1.mga4 from SRPMS: clamav-0.98.5-1.mga3.src.rpm clamav-0.98.5-1.mga4.src.rpm CC:
(none) =>
thomas Testing on Mageia3-64 real hardware Using procedure found https://bugs.mageia.org/show_bug.cgi?id=11288#c9 and reproducing bug found here : https://bugzilla.clamav.net/show_bug.cgi?id=11088 With current packages : -------------------- - clamav-0.98.4-1.mga3.x86_64 - clamav-db-0.98.4-1.mga3.noarch - clamav-milter-0.98.4-1.mga3.x86_64 - clamd-0.98.4-1.mga3.x86_64 - lib64clamav-devel-0.98.4-1.mga3.x86_64 - lib64clamav6-0.98.4-1.mga3.x86_64 # systemctl start clamd OK # systemctl start clamav-milter OK # freshclam #in order to update clamav virus database Clamd successfully notified about the update. # clamscan -r /home/zitounu # in order to scan my user home ----------- SCAN SUMMARY ----------- Known viruses: 3684869 Engine version: 0.98.4 Scanned directories: 902 Scanned files: 1524 Infected files: 0 Data scanned: 439.81 MB Data read: 3585.15 MB (ratio 0.12:1) Time: 31.885 sec (0 m 31 s) Downloaded file which produces crash found here: https://bugzilla.clamav.net/show_bug.cgi?id=11088 In directory where I downloaded the file : # clamscan -a Erreur de segmentation (and crash) Stopped clamd and clamav-milter services Updated to testing packages : --------------------------- - clamav-0.98.5-1.mga3.x86_64 - clamav-db-0.98.5-1.mga3.noarch - clamav-milter-0.98.5-1.mga3.x86_64 - clamd-0.98.5-1.mga3.x86_64 - lib64clamav-devel-0.98.5-1.mga3.x86_64 - lib64clamav6-0.98.5-1.mga3.x86_64 Restarted clamd and clamav-milter services OK # freshclam which told me virusdatabase was up to date # clamscan -r /home/zitounu ----------- SCAN SUMMARY ----------- Known viruses: 3684869 Engine version: 0.98.5 Scanned directories: 945 Scanned files: 1574 Infected files: 0 Data scanned: 460.52 MB Data read: 3602.15 MB (ratio 0.13:1) Time: 27.536 sec (0 m 27 s) In directory where file known to make clamd crash : # clamscan -a ----------- SCAN SUMMARY ----------- Known viruses: 3684869 Engine version: 0.98.5 Scanned directories: 1 Scanned files: 8 Infected files: 0 Data scanned: 0.64 MB Data read: 835.46 MB (ratio 0.00:1) Time: 5.944 sec (0 m 5 s) No crash this time. Could stop and restart services. clamscan could find eicar.com test file Update testing packages working well and fixing bug CC:
(none) =>
olchal Created attachment 5612 [details] Innocuous java script file which causes crash in clamav Found here : https://bugzilla.clamav.net/show_bug.cgi?id=11088 Mandriva has issued an advisory for this today (November 20): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A217/ Advisory: ======================== Updated clamav packages fix security vulnerability: Certain javascript files causes ClamAV to segfault when scanned with the -a (list archived files) (CVE-2013-6497). ClamAV has been updated to version 0.98.5 to address this and other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6497 https://bugzilla.clamav.net/show_bug.cgi?id=11088 http://blog.clamav.net/2014/11/clamav-0985-has-been-released.html http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A217/ URL:
(none) =>
http://lwn.net/Vulnerabilities/622345/ CVE request for another issue fixed in 0.98.5: http://openwall.com/lists/oss-security/2014/11/21/12 CVE-2014-9050 was allocated for the yoda crypter issue: http://openwall.com/lists/oss-security/2014/11/22/1 Advisory: ======================== Updated clamav packages fix security vulnerability: Certain javascript files causes ClamAV to segfault when scanned with the -a (list archived files) (CVE-2013-6497). A heap buffer overflow was reported in ClamAV when scanning a specially crafted y0da Crypter obfuscated PE file (CVE-2014-9050). ClamAV has been updated to version 0.98.5 to address these and other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9050 https://bugzilla.clamav.net/show_bug.cgi?id=11088 http://blog.clamav.net/2014/11/clamav-0985-has-been-released.html http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A217/ http://openwall.com/lists/oss-security/2014/11/22/1 In VirtualBox, M3, KDE, 32-bit Package(s) under test: clamav clamav-db libclamav6 install clamav clamav-db & libclamav6 [root@localhost wilcal]# urpmi clamav Package clamav-0.98.4-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.98.4-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi libclamav6 Package libclamav6-0.98.4-1.mga3.i586 is already installed Update with freshclam ( takes awhile ) [root@localhost wilcal]# cd /var/lib/clamav [root@localhost clamav]# ls -al total 94380 drwxr-xr-x 3 clamav clamav 4096 Nov 22 11:02 ./ drwxr-xr-x 43 root root 4096 Nov 22 10:53 ../ -rw-r--r-- 1 clamav clamav 74230 Nov 22 11:02 bytecode.cvd -rw-r--r-- 1 clamav clamav 31823730 Nov 22 11:02 daily.cvd -rw-r--r-- 1 clamav clamav 64720632 Sep 20 2013 main.cvd -rw------- 1 clamav clamav 364 Nov 22 11:02 mirrors.dat drwxr-xr-x 2 clamav clamav 4096 Jun 20 12:21 tmp/ run clamscan [root@localhost wilcal]# clamscan -r -i ----------- SCAN SUMMARY ----------- Known viruses: 3688776 Engine version: 0.98.4 Scanned directories: 1440 Scanned files: 1939 Infected files: 0 Data scanned: 390.61 MB Data read: 353.49 MB (ratio 1.11:1) Time: 36.775 sec (0 m 36 s) install clamav clamav-db & libclamav6 from updates_testing [root@localhost wilcal]# urpmi clamav Package clamav-0.98.5-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.98.5-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi libclamav6 Package libclamav6-0.98.5-1.mga3.i586 is already installed Update with freshclam - database is up-to-date run clamscan [root@localhost wilcal]# clamscan -r -i ----------- SCAN SUMMARY ----------- Known viruses: 3688776 Engine version: 0.98.5 Scanned directories: 1440 Scanned files: 1939 Infected files: 0 Data scanned: 390.62 MB Data read: 353.50 MB (ratio 1.11:1) Time: 30.321 sec (0 m 30 s) Successful clamscan. CC:
(none) =>
wilcal.int In VirtualBox, M4, KDE, 32-bit Package(s) under test: clamav clamav-db libclamav6 install clamav clamav-db & libclamav6 [root@localhost wilcal]# urpmi clamav Package clamav-0.98.4-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.98.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi libclamav6 Package libclamav6-0.98.4-1.mga4.i586 is already installed Update with freshclam ( takes awhile ) [root@localhost clamav]# ls -al total 94376 drwxrwxr-x 3 clamav clamav 4096 Nov 22 11:43 ./ drwxr-xr-x 45 root root 4096 Nov 22 11:29 ../ -rw-r--r-- 1 clamav clamav 74230 Nov 22 11:43 bytecode.cvd -rw-r--r-- 1 clamav clamav 31823730 Nov 22 11:43 daily.cvd -rw-r--r-- 1 clamav clamav 64720632 Sep 20 2013 main.cvd -rw------- 1 clamav clamav 312 Nov 22 11:43 mirrors.dat drwxr-xr-x 2 clamav clamav 4096 Jun 22 12:51 tmp/ run clamscan [root@localhost /]# clamscan -i -r /etc ----------- SCAN SUMMARY ----------- Known viruses: 3688776 Engine version: 0.98.5 Scanned directories: 480 Scanned files: 1894 Infected files: 0 Data scanned: 41.51 MB Data read: 31.66 MB (ratio 1.31:1) Time: 9.634 sec (0 m 9 s) install clamav clamav-db & libclamav6 from updates_testing [root@localhost wilcal]# urpmi clamav Package clamav-0.98.5-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.98.5-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi libclamav6 Package libclamav6-0.98.5-1.mga4.i586 is already installed Update with freshclam - database is up-to-date run clamscan [root@localhost wilcal]# clamscan -r -i ----------- SCAN SUMMARY ----------- Known viruses: 3688776 Engine version: 0.98.5 Scanned directories: 1031 Scanned files: 1519 Infected files: 0 Data scanned: 226.45 MB Data read: 328.70 MB (ratio 0.69:1) Time: 26.019 sec (0 m 26 s) Successful clamscan. Whiteboard:
MGA3TOO MGA3-32-OK MGA3-64-OK =>
MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK In VirtualBox, M4, KDE, 64-bit Package(s) under test: clamav clamav-db lib64clamav6 install clamav clamav-db & lib64clamav6 [root@localhost wilcal]# urpmi clamav Package clamav-0.98.4-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.98.4-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi lib64clamav6 Package lib64clamav6-0.98.4-1.mga4.x86_64 is already installed Update with freshclam ( takes awhile ) [wilcal@localhost ~]$ cd /var/lib/clamav [wilcal@localhost clamav]$ ls -al total 94376 drwxrwxr-x 3 clamav clamav 4096 Nov 22 12:59 ./ drwxr-xr-x 45 root root 4096 Nov 22 12:52 ../ -rw-r--r-- 1 clamav clamav 74230 Nov 22 12:59 bytecode.cvd -rw-r--r-- 1 clamav clamav 31823730 Nov 22 12:59 daily.cvd -rw-r--r-- 1 clamav clamav 64720632 Sep 20 2013 main.cvd -rw------- 1 clamav clamav 364 Nov 22 12:59 mirrors.dat drwxr-xr-x 2 clamav clamav 4096 Jun 22 12:51 tmp/ run clamscan [root@localhost ~]# clamscan -i -r /etc ----------- SCAN SUMMARY ----------- Known viruses: 3688776 Engine version: 0.98.4 Scanned directories: 480 Scanned files: 1894 Infected files: 0 Data scanned: 42.59 MB Data read: 32.71 MB (ratio 1.30:1) Time: 11.620 sec (0 m 11 s) install clamav clamav-db & lib64clamav6 from updates_testing [root@localhost wilcal]# urpmi clamav Package clamav-0.98.5-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.98.5-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi lib64clamav6 Package lib64clamav6-0.98.5-1.mga4.x86_64 is already installed Update with freshclam - database is up-to-date run clamscan [root@localhost wilcal]# clamscan -i -r /etc ----------- SCAN SUMMARY ----------- Known viruses: 3688776 Engine version: 0.98.5 Scanned directories: 480 Scanned files: 1894 Infected files: 0 Data scanned: 42.59 MB Data read: 32.71 MB (ratio 1.30:1) Time: 12.165 sec (0 m 12 s) Successful clamscan. Testing complete for mga3 32 & 64 Testing complete for mga4 32 & 64 Validating the update. Could someone from the sysadmin team push to updates. Thanks Keywords:
(none) =>
validated_update Advisory uploaded. CC:
(none) =>
remi An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0487.html Status:
NEW =>
RESOLVED LWN reference for CVE-2014-9050: http://lwn.net/Vulnerabilities/623205/ |