Ubuntu
clamav package

Possible invalid memory access in versions before 0.93.1

Bug #238575 reported by Scott Kitterman
254
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
Medium
Unassigned
Dapper
Fix Released
Medium
Leonel Nunez
Feisty
Fix Released
Medium
Leonel Nunez
Gutsy
Fix Released
Medium
Leonel Nunez
Hardy
Fix Released
Medium
Leonel Nunez
Intrepid
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: clamav

Security fix from the latest clamav release:

Wed Jun 4 14:18:12 CEST 2008 (tk)
----------------------------------
  * 0.93.1

Wed Jun 4 14:18:27 CEST 2008 (tk)
----------------------------------
  * libclamav/petite.c: fix possible invalid memory access (bb#1000)
   Reported by Damian Put

Code is identical in 0.92.1, so all supported Ubuntu versions are affected.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Attached diff for 0.92.1

Changed in clamav:
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → leonelnunez
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → leonelnunez
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → leonelnunez
status: New → Triaged
status: Triaged → In Progress
importance: Undecided → Medium
assignee: nobody → leonelnunez
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Scott Kitterman (kitterman) wrote :

For Intrepid, we should just wait and get 0.93.1 from Debian when they have it.

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Diff for gutsy applies fine
builded with pbuild and installed fine
tested all working fine

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Gutsy debdiff missing the 00list entry for the new patch ...
working on it

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Diff for gutsy applies fine
builded with pbuild and installed fine
tested all working fine

All checked even 00list ;)

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Patch applied fine builded with pbuilder all fine
installed and tested all working fine

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

This is the debdiff fixed with the 00list edited to include the patch
all builds, installs and works fine

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

And this is for hardy

Applies, builds, installs and works fine

Revision history for this message
Scott Kitterman (kitterman) wrote :

I've also tested the hardy version on my test mail server with clamsmtp.

The patch is identical (except the revision number) for all of them, so I think they are all good to go.

Revision history for this message
Scott Kitterman (kitterman) wrote :

I would suggest changing the dapper revision from dapper3 to dapper2ubuntu1 to be consistent with the others.

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Does this means That I should redo the diff with the change ??

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 238575] Re: Possible invalid memory access in versions before 0.93.1

I think they can just edit it before they upload it.

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

ok

in case they don't I can redo the diff

Revision history for this message
Kees Cook (kees) wrote :

I've fixed up all the changelog entries to follow a more regular format, e.g.:

  * SECURITY UPDATE: fix possible invalid memory access
  * added 27_petite.c.dpatch: (LP: #238575)
    - libclamav/petite.c: fix possible invalid memory access
  * References
    CVE-2008-2713

(And added the now-assigned CVE #)

Additionally, I cleaned up the version numbers (ubuntu0.1 for hardy, and bump for the ~ versions, instead of adding ubuntu1)

Revision history for this message
Kees Cook (kees) wrote :

Intrepid was fixed with the sync of 0.93.1

Changed in clamav:
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.92.1~dfsg2-1.1ubuntu0.1

---------------
clamav (0.92.1~dfsg2-1.1ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: fix possible invalid memory access
  * added 27_petite.c.dpatch: (LP: #238575)
    - libclamav/petite.c: fix possible invalid memory access
  * References
    CVE-2008-2713

 -- Leonel Nunez <email address hidden> Mon, 09 Jun 2008 15:46:30 -0600

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.92.1~dfsg2-1.1~gutsy3

---------------
clamav (0.92.1~dfsg2-1.1~gutsy3) gutsy-security; urgency=low

  * SECURITY UPDATE: fix possible invalid memory access
  * added 27_petite.c.dpatch: (LP: #238575)
    - libclamav/petite.c: fix possible invalid memory access
  * References
    CVE-2008-2713

 -- Leonel Nunez <email address hidden> Mon, 09 Jun 2008 12:10:04 -0600

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.92.1~dfsg2-1.1~feisty3

---------------
clamav (0.92.1~dfsg2-1.1~feisty3) feisty-security; urgency=low

  * SECURITY UPDATE: fix possible invalid memory access
  * added 27_petite.c.dpatch: (LP: #238575)
    - libclamav/petite.c: fix possible invalid memory access
  * References
    CVE-2008-2713

 -- Leonel Nunez <email address hidden> Mon, 9 Jun 2008 13:07:42 -0600

Changed in clamav:
status: In Progress → Fix Released
status: In Progress → Fix Released
status: In Progress → Fix Released
Scott Kitterman (kitterman)
Changed in clamav:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.