The following packages are in updates_testing:

clamav-0.98.6-1.mga5.src.rpm
clamav-0.98.6-1.mga5.x86_64.rpm
clamd-0.98.6-1.mga5.x86_64.rpm
clamav-milter-0.98.6-1.mga5.x86_64.rpm
clamav-db-0.98.6-1.mga5.noarch.rpm
lib64clamav6-0.98.6-1.mga5.x86_64.rpm
lib64clamav-devel-0.98.6-1.mga5.x86_64.rpm
clamav-debuginfo-0.98.6-1.mga5.x86_64.rpm

and correspinding i586 packages

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

These are Mageia 5 packages Thomas.

I know, I asked for a freeze push last night

Ooops, I copied them from my cauldron buildbox.
The correct versions are:

clamav-0.98.6-1.mga4.src.rpm
clamav-0.98.6-1.mga4.x86_64.rpm
clamd-0.98.6-1.mga4.x86_64.rpm
clamav-milter-0.98.6-1.mga4.x86_64.rpm
clamav-db-0.98.6-1.mga4.noarch.rpm
lib64clamav6-0.98.6-1.mga4.x86_64.rpm
lib64clamav-devel-0.98.6-1.mga4.x86_64.rpm
clamav-debuginfo-0.98.6-1.mga4.x86_64.rpm

and corresponding i586 packages

Ya I'm having a problem working with what's in the M4 repo

OK After the qa-meeting I'll update my local repo again
and give it a go again.

This is actually a security update.  This update was mentioned on oss-security:
http://openwall.com/lists/oss-security/2015/01/29/25

I don't know if there will be any additional CVEs beyond the one already listed.  The contents of the upstream announcement can be used as the basis for an advisory.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9328
http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html

Component: RPM Packages => Security
QA Contact: (none) => security

(In reply to David Walser from comment #7)
> This is actually a security update.  This update was mentioned on
> oss-security:
> http://openwall.com/lists/oss-security/2015/01/29/25
> 
> I don't know if there will be any additional CVEs beyond the one already
> listed.  The contents of the upstream announcement can be used as the basis
> for an advisory.
> 
> References:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9328
> http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html

Sorry, I didn't see the security issue. I got an e-mail telling there was a new release.

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
clamav clamav-db libclamav6

install clamav clamav-db & libclamav6

[root@localhost wilcal]# urpmi clamav
Package clamav-0.98.5-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.98.5-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi libclamav6
Package libclamav6-0.98.5-1.mga4.i586 is already installed

Update with freshclam ( takes awhile )
[root@localhost wilcal]# freshclam

[root@localhost clamav]# ls -al
total 95516
drwxrwxr-x  3 clamav clamav     4096 Jan 31 09:11 ./
drwxr-xr-x 45 root   root       4096 Jan 31 08:57 ../
-rw-r--r--  1 clamav clamav    71319 Jan 31 09:11 bytecode.cvd
-rw-r--r--  1 clamav clamav 32991439 Jan 31 09:11 daily.cvd
-rw-r--r--  1 clamav clamav 64720632 Sep 20  2013 main.cvd
-rw-------  1 clamav clamav      520 Jan 31 09:11 mirrors.dat
drwxr-xr-x  2 clamav clamav     4096 Nov 19 06:25 tmp/

run clamscan on /etc

[root@localhost etc]# clamscan -r -i

----------- SCAN SUMMARY -----------
Known viruses: 3735452
Engine version: 0.98.5
Scanned directories: 481
Scanned files: 1896
Infected files: 0
Data scanned: 41.58 MB
Data read: 31.69 MB (ratio 1.31:1)
Time: 12.658 sec (0 m 12 s)

install clamav clamav-db & libclamav6 from updates_testing

[root@localhost wilcal]# urpmi clamav
Package clamav-0.98.6-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.98.6-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi libclamav6
Package libclamav6-0.98.6-1.mga4.i586 is already installed

clamav database is up-to-date

run clamscan on /etc

[root@localhost etc]# clamscan -r -i

----------- SCAN SUMMARY -----------
Known viruses: 3735452
Engine version: 0.98.6
Scanned directories: 481
Scanned files: 1896
Infected files: 0
Data scanned: 41.58 MB
Data read: 31.69 MB (ratio 1.31:1)
Time: 9.888 sec (0 m 9 s)

Successful clamscan.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
clamav clamav-db lib64clamav6

install clamav clamav-db & lib64clamav6

[root@localhost wilcal]# urpmi clamav
Package clamav-0.98.5-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.98.5-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi lib64clamav6
Package lib64clamav6-0.98.5-1.mga4.x86_64 is already installed

Update with freshclam ( takes awhile )
[root@localhost wilcal]# freshclam

[root@localhost clamav]# ls -al
total 95516
drwxrwxr-x  3 clamav clamav     4096 Jan 31 09:11 ./
drwxr-xr-x 45 root   root       4096 Jan 31 08:57 ../
-rw-r--r--  1 clamav clamav    71319 Jan 31 09:11 bytecode.cvd
-rw-r--r--  1 clamav clamav 32991439 Jan 31 09:11 daily.cvd
-rw-r--r--  1 clamav clamav 64720632 Sep 20  2013 main.cvd
-rw-------  1 clamav clamav      520 Jan 31 09:11 mirrors.dat
drwxr-xr-x  2 clamav clamav     4096 Nov 19 06:25 tmp/

run clamscan on /etc

[wilcal@localhost etc]$ clamscan -r -i

----------- SCAN SUMMARY -----------
Known viruses: 3735452
Engine version: 0.98.5
Scanned directories: 336
Scanned files: 1644
Infected files: 0
Total errors: 203
Data scanned: 34.78 MB
Data read: 25.66 MB (ratio 1.36:1)
Time: 8.389 sec (0 m 8 s)

install clamav clamav-db & lib64clamav6 from updates_testing

[root@localhost wilcal]# urpmi clamav
Package clamav-0.98.6-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.98.6-1.mga4.noarch is already installed
[root@localhost wilcal]# urpmi lib64clamav6
Package lib64clamav6-0.98.6-1.mga4.x86_64 is already installed

clamav database is up-to-date

run clamscan on /etc

[wilcal@localhost etc]$ clamscan -r -i

----------- SCAN SUMMARY -----------
Known viruses: 3735452
Engine version: 0.98.6
Scanned directories: 336
Scanned files: 1644
Infected files: 0
Total errors: 203
Data scanned: 34.78 MB
Data read: 25.66 MB (ratio 1.36:1)
Time: 8.417 sec (0 m 8 s)

Successful clamscan.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Advisory uploaded as:

  ClamAV 0.98.6 is a maintenance release to fix some bugs, some of them being
  security bugs:

  Fix a heap out of bounds condition with crafted Yoda's crypter files.
  This issue was discovered by Felix Groebert of the Google Security Team.

  Fix a heap out of bounds condition with crafted mew packer files.
  This issue was discovered by Felix Groebert of the Google Security Team.

  Fix a heap out of bounds condition with crafted upx packer files.
  This issue was discovered by Kevin Szkudlapski of Quarkslab.

  Fix a heap out of bounds condition with crafted upack packer files.
  This issue was discovered by Sebastian Andrzej Siewior (CVE-2014-9328).

  Compensate a crash due to incorrect compiler optimization when handling crafted
  petite packer files. This issue was discovered by Sebastian Andrzej Siewior.


References:
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9328
 - http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html

CC: (none) => remi
Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory

Does this update address the issues in the bundled libmspack in clamav referenced here?:
http://openwall.com/lists/oss-security/2015/02/03/12
http://lwn.net/Vulnerabilities/631508/
http://lists.opensuse.org/opensuse-updates/2015-02/msg00004.html

The Novell bug says that it's fixed upstream in clamav, but doesn't say if it's just in version control or in a released version:
https://bugzilla.suse.com/show_bug.cgi?id=912214

The Debian bug has a PoC and says how they fixed it in their clamav package:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773041

Unvalidating now until this can be checked.

Keywords: validated_update => (none)

This says that clamav is not affected:
http://seclists.org/oss-sec/2015/q1/85

but there seems to be some confusion about this:
https://bugzilla.redhat.com/show_bug.cgi?id=1178867

It seems, the upgrade is just what it says, an upgrade and not a security fix.
May we should push the upgrade and leave and enter a new bug for the security issue?

Well see the advisory in comment 12 that I copy pasted from the upstream release notes, all those are security fixes.

What David is refering to AFAIU is other potential security issues that are being discussed (i.e. there might be a new clamav release in the coming days to address them).

If someone can test having clamav scan a mail with the hang.cab file from this message attached to it:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772891#3

and verify that it doesn't go into an infinite loop and hang, then we're fine.

I could do this later today.

Well, it's not that straight forward. The way it's usually done is, the mta (postfix in my case) receives the e-mail, may accept it and forwards to to amavisd for scanning for spam and then using the configured antivirus program (in my case clamd) to scan it for viruses and then re-injects it to postfix which mays uses other filters (in my case wallace) which then re-injects it back to postfix which in turn forwards it to (in my case curys-imap)

amavisd extracts the attachments using cabextract for hang.cab. Here is where we have the problem (see the systemctl -l status amavisd output in the attachment)

It takes cabextract about 5 minutes to time out. This is the case regardless which clamav version is being used. However, the mail then goes through and ends up in the mailbox. This is in my opinion a security issue as the file is not being scanned properly.

On the other side, withe the current clamav-0.98.6 clamscan take about 9 minutes to scan hang.cab vs. 2 secs with the new clamav-0.98.6

I think, we should release clamav-098.6 but file a security bug for cabextract.

Created attachment 5859 [details]
Test results

filed bug #15211 for cabextract

If clamav shells out to cabextract rather than using its internal libmspack code, then we're good, because we just fixed the issue in the cabextract package.

I did some investigation here. libmspack was added in 2004 and has a long history of flaws and security related issues since then. Look here:

[oden@n16 clamav-0.98.6]$ grep mspack ChangeLog 
 * port chm and mspack to fmap
 * libclamav/mspack.c: fix write error
 * libclamav/mspack.c: fix Quantum decompressor (bb#1771)
 * libclamav/mspack.c: improve unpacking of malformed cabinets (bb#1826)
 * libclamav/mspack.c: fix valgrind warnings about use of uninitialized
 * libclamav/mspack.c, cab.c: don't rely on file sizes stored in CAB headers (bb#1562)
 libclamav/mspack.c, libclamav/pe.c: fix more compiler warnings (bb
  * libclamav/mspack.c: downgrade some error messages (bb#911)
  * libclamav/mspack.[ch]: fix build on NetBSD 4.0 (bb #921)
  * libclamav/mspack.c: fix possible infinite loop introduced in r3717 (bb#899)
  * libclamav/mspack.c: fix handling of MSZIP compressed folders (bb#882)
  * libclamav/mspack.c: fix off-by-one error in LZX_READ_HUFFSYM() (bb#663)
  * libclamav/cab.c: properly handle errors from mspack
  * libclamav/mspack: remove files
  * libclamav/mspack.[ch]: cleaned and better adopted for libclamav code from
                           libmspack
  * libclamav/chmunpack.c: use new mspack module
  * libclamav/mspack: fix double close of file descriptor, patch from NJH
  * libclamav/mspack/cabd.c: fix possible infinite loop in cabd_find
  * libclamav/mspack/mszipd.c: zipd_read_input: fake one more byte if input
  * libclamav/mspack: some cab archives were not properly decompressed (problem
  * libclamav/mspack/qtmd.c: fix possible crash
  * libclamav/mspack/cabd.c: fix possible infinite loop
  * libclamav/mspack/cabd.c: fix possible description leak
  * libclamav: mspack: fix memory leak
  * libclamav: mspack: fix bounds error (found by Nigel). Original author
  * libclamav: support MS cabinet files (test/test.cab). Based on libmspack.

libmspack is bundled into clamav so the cabextract binary is never used.


Further investigations shows that libmspack is also bundled with the following packages:

calibre
evolution-ews
pidgin-msn-pecan

For calibre I found no easy way to unbundle libmspack.

For evolution-ews you need to add:
BuildRequires:  pkgconfig(libmspack)
--with-internal-lzx=no

For pidgin-msn-pecan you need to patch some files but I think it's not impossible.


For the cabextract package itself you need to add:
BuildRequires:  pkgconfig(libmspack)
--with-external-libmspack


The libmspack package was just added to cauldron.

Cheers.

CC: (none) => oe

(In reply to David Walser from comment #23)
> If clamav shells out to cabextract rather than using its internal libmspack
> code, then we're good, because we just fixed the issue in the cabextract
> package.

No, amavisd uses cabextract before handling it to clamd

(In reply to Thomas Spuhler from comment #25)
> (In reply to David Walser from comment #23)
> > If clamav shells out to cabextract rather than using its internal libmspack
> > code, then we're good, because we just fixed the issue in the cabextract
> > package.
> 
> No, amavisd uses cabextract before handling it to clamd

Oh I see.  Is there a way to just ask clamav to scan the .cab file?

CC: (none) => luigiwalser

(In reply to Thomas Spuhler from comment #21)
> Created attachment 5859 [details]
> Test results

OK so it appears it is fixed in this update.  Re-validating.  Thanks.

CC: luigiwalser => (none)
Keywords: (none) => validated_update

libmspack in cabextract, evolution-ews and pidgin-msn-pecan has been unbundled in cauldron. What remains is calibre who needs hands on by a python wizard.

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0056.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

According to OpenSuSE, this also fixed CVE-2015-146[1-3]:
http://lists.opensuse.org/opensuse-updates/2015-02/msg00063.html

from http://lwn.net/Vulnerabilities/633210/

More info about CVE-2014-9328 and CVE-2015-1463:
http://openwall.com/lists/oss-security/2015/02/17/5
http://openwall.com/lists/oss-security/2015/02/17/6