Bug 6491 - clamav needs updated to 0.97.5 to fix security issues CVE-2012-1457, CVE-2012-1458, CVE-2012-1459
: clamav needs updated to 0.97.5 to fix security issues CVE-2012-1457, CVE-2012...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1TOO MGA2-32-OK MGA2-64-OK mga1-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-17 19:16 CEST by David Walser
Modified: 2012-07-09 17:28 CEST (History)
8 users (show)

See Also:
Source RPM: clamav-0.97.4-2.mga2.src.rpm
CVE:


Attachments
Test case for CVE-2012-1457 (could not reproduce bug though) (10.00 KB, application/octet-stream)
2012-06-25 17:13 CEST, Zoltan Balaton
Details

Description David Walser 2012-06-17 19:16:36 CEST
Mandriva has also updated this in Mandriva 2010.2 updates, so it also needs to be updated so that upgrading from that release still works.

Current Mandriva version is 0.97.5-0.1mdv2010.2
Comment 1 Thomas Spuhler 2012-06-18 00:45:28 CEST
Fixed in Cauldron
Comment 2 David Walser 2012-06-18 03:29:45 CEST
Thanks Thomas.  I see the updates for Mageia 1 and 2 are built as well.

Now we just need an advisory.  I was going to use the CVE blurbs, but they're a bit verbose :o)  Here's an incomplete one.  Feel free to augment it.

Incomplete Advisory:
========================

Updated clamav packages fix security vulnerabilities:

This updates clamav to 0.97.5 which fixes three security issues
(CVE-2012-1457, CVE-2012-1458, CVE-2012-1459), as well as some
other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1459
http://blog.clamav.net/2012/06/clamav-0975-has-been-released.html
========================

Updated packages in core/updates_testing:
========================
clamav-0.97.5-1.mga1
clamd-0.97.5-1.mga1
clamav-milter-0.97.5-1.mga1
clamav-db-0.97.5-1.mga1
libclamav6-0.97.5-1.mga1
libclamav-devel-0.97.5-1.mga1
clamav-0.97.5-1.mga2
clamd-0.97.5-1.mga2
clamav-milter-0.97.5-1.mga2
clamav-db-0.97.5-1.mga2
libclamav6-0.97.5-1.mga2
libclamav-devel-0.97.5-1.mga2

from SRPMS:
clamav-0.97.5-1.mga1.src.rpm
clamav-0.97.5-1.mga2.src.rpm
Comment 3 Thomas Spuhler 2012-06-18 03:37:43 CEST
David, I haven't tested the updates yet and I am not sure I get to test them tonight.
I am OK with the advisery
Comment 4 David Walser 2012-06-18 04:07:30 CEST
OK, no problem.  I'll move QA to CC and you can assign back to them when it's really ready (sorry for jumping the gun :o).
Comment 5 Thomas Spuhler 2012-06-18 05:10:02 CEST
David, I haven't tested the updates yet and I am not sure I get to test them tonight.
I am OK with the advisery
Comment 6 Thomas Spuhler 2012-06-18 05:32:00 CEST
Ooops someone got in between.
I have now installed the update on mga2 and scanned the home directory.
The software installed and the scan went OK
I did the same on my mga1 server and additionally I sent my self a good test message and It came through. I also sent myself a e-mail that had the eicar test virus and it did not get through.
I consider the software is ready to be released for the update.
Comment 7 David Walser 2012-06-18 20:28:53 CEST
Mandriva's advisory has better descriptions for the security issues fixed:
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:094
Comment 8 Zoltan Balaton 2012-06-25 00:20:04 CEST
I've tried it on mga2 i586: updated related *clam* packages from Testing and checked if it still works. Sent a message with the EICAR test string which was correctly catched by clamd and ran a scan with clamscan which seemed to work as well. Could not check if the actual issues are fixed but at least I found no regressions so I'd trust upstream for the fixes here. I suggest to accept this update.

Only noticed one thing which does not block this just mentioning it in case someone want's to look at it. After the update, freshclam downloaded some database updates but issued a warning at the end:

WARNING: Clamd was NOT notified: Can't connect to clamd through /var/lib/clamav/clamd.socket

Maybe clamd did not start yet (or was restarting at that moment). Here is what's in the log:

Jun 24 22:53:24 systemd[1]: Reloading.
Jun 24 22:53:25 systemd[1]: freshclam.service: main process exited, code=exited, status=2
Jun 24 22:53:25 freshclam[18315]: Stopping Clam AntiVirus Update Daemon: [  OK  ]
Jun 24 22:53:25 systemd[1]: Unit freshclam.service entered failed state.
Jun 24 22:53:26 freshclam[18343]: Starting Clam AntiVirus Update Daemon: [  OK  ]
Jun 24 22:53:26 systemd[1]: Reloading.
Jun 24 22:53:28 clamd[18388]: Stopping Clam AntiVirus Daemon: [  OK  ]
Jun 24 22:53:42 clamd[18417]: Starting Clam AntiVirus Daemon: [  OK  ]

When I checked, the socket already existed and clamd has automatically reread the database 10 minutes later during the next regular selfcheck so this did "selfheal":
Sun Jun 24 23:03:41 2012 -> No stats for Database check - forcing reload
Sun Jun 24 23:03:42 2012 -> Reading databases from /var/lib/clamav
Sun Jun 24 23:03:53 2012 -> Database correctly reloaded (1258767 signatures)
Comment 9 Zoltan Balaton 2012-06-25 16:11:02 CEST
Added tag for testing clamav-0.97.5-1.mga2.src.rpm on mga2 i586 (see Comment 8 for details)
Comment 10 user7 2012-06-25 16:31:19 CEST
INFO: No PoCs could be found, so the security fixes can not be verified. Therefore only regression testing is needed.
Comment 11 Zoltan Balaton 2012-06-25 17:13:26 CEST
Created attachment 2492 [details]
Test case for CVE-2012-1457 (could not reproduce bug though)
Comment 12 Zoltan Balaton 2012-06-25 17:14:14 CEST
Tried to reproduce at least one of the CVEs described at http://www.securityfocus.com/archive/1/522005 on mga2 x86_64. I've constructed the attached tar file as per point 39. as a test case for CVE-2012-1457 but clamscan could detect it even before the update and can still detect it with version 0.97.5-1.mga2. I conclude that I found no regressions on x86_64 either so it's tested for both archs for mga2 now.
Comment 13 Dave Hodgins 2012-07-04 00:51:48 CEST
Testing complete on Mageia 1 i586.

Just used freshclam in update, and clamscan on eicar.
Comment 14 Samuel Verschelde 2012-07-08 16:25:17 CEST
Testing complete on Mageia 1 x86_64

No additional dependency found by depcheck.

See comment #2 for advisory and list of packages.

If someone provides a better advisory before the package is pushed, use the new one, otherwise that one will do.
Comment 15 David Walser 2012-07-08 16:31:13 CEST
Here's a better one :o)

Advisory:
========================

Updated clamav packages fix security vulnerabilities:

The TAR file parser in ClamAV 0.96.4 allows remote attackers to bypass
malware detection via a TAR archive entry with a length field that
exceeds the total TAR file size. NOTE: this may later be SPLIT into
multiple CVEs if additional information is published showing that the
error occurred independently in different TAR parser implementations
(CVE-2012-1457).

The Microsoft CHM file parser in ClamAV 0.96.4 allows remote attackers
to bypass malware detection via a crafted reset interval in the LZXC
header of a CHM file. NOTE: this may later be SPLIT into multiple CVEs
if additional information is published showing that the error occurred
independently in different CHM parser implementations (CVE-2012-1458).

The TAR file parser in ClamAV 0.96.4 allows remote attackers to
bypass malware detection via a TAR archive entry with a length field
corresponding to that entire entry, plus part of the header of the
next entry. NOTE: this may later be SPLIT into multiple CVEs if
additional information is published showing that the error occurred
independently in different TAR parser implementations (CVE-2012-1459). 

This update upgrades clamav to the latest version (0.97.5), which
resolves these security issues as well as some other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1459
http://blog.clamav.net/2012/06/clamav-0975-has-been-released.html
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:094
========================

Updated packages in core/updates_testing:
========================
clamav-0.97.5-1.mga1
clamd-0.97.5-1.mga1
clamav-milter-0.97.5-1.mga1
clamav-db-0.97.5-1.mga1
libclamav6-0.97.5-1.mga1
libclamav-devel-0.97.5-1.mga1
clamav-0.97.5-1.mga2
clamd-0.97.5-1.mga2
clamav-milter-0.97.5-1.mga2
clamav-db-0.97.5-1.mga2
libclamav6-0.97.5-1.mga2
libclamav-devel-0.97.5-1.mga2

from SRPMS:
clamav-0.97.5-1.mga1.src.rpm
clamav-0.97.5-1.mga2.src.rpm
Comment 16 Thomas Backlund 2012-07-09 17:28:26 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0144

Note You need to log in before you can comment on or make changes to this bug.