Bugzilla – Bug 1045490
VUL-0: CVE-2012-6706: clamav: VMSF_DELTA filter allows arbitrary memory write
Last modified: 2018-11-25 07:41:19 UTC
+++ This bug was initially created as a clone of Bug #1045315 +++ This bug was opened to fix the original unrar bug inside the libclamunrar code inside ClamAV. VMSF_DELTA filter in unrar allows arbitrary memory write It appears that the VMSF_DELTA memory corruption that was reported to Sophos AV in 2012 (and fixed there) was actually inherited from upstream unrar. For unknown reasons the information did not reach upstream rar or was otherwise lost, and the bug seems to have persisted there to this day. Base64-encoded RAR file reproducer to trigger the VMSF_DELTA issue: UmFyIRoHAPlOcwAADgAAAAAAAAAAMAh0AAAmAI4AAAAAAAAAAhBBUiEAAAAAHQAGAAAAACBzdGRv dXQgIVUMzRDNmBGByDAda+AXaSv4KvQr1K/oejL05mXmXmww5tEk8gA9k8nmieyeyeswuOR6cx69 a2Hd6zQwu3aoMDDwMEswADAAMD4P938w+dydoRFwAmwAAAAAvv////+/////+9W3QFgAAQAGAAAA Ooimhd12AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA References: https://blog.fefe.de/?ts=a7b4dd4f https://bugs.chromium.org/p/project-zero/issues/detail?id=1286&desc=6
Created attachment 729856 [details] Proposed patch The unrar sources in ClamAV look quite different from current upstream. It looks like their code is based on an old C versioin of unrar while upstream has meanwhile rewritten it in C++. I've tried to port the patch posted in bug 1045315 to the code in ClamAV. It compiles and runs, but given that the demo archive doesn't even crash an unpatched ClamAV I have no easy smoke test to see if the patch works as intended. So, please review.
CVE-2012-6706 was assigned to this issue.
What makes me a bit nervous is the fact that RARLAB fixed several other potential security issues. " The RAR developers analyzed the entire rarvm.cpp and found / fixed other issues along with this issue. All users of unrar, and third-party developers that statically link to unrar, are strongly encouraged to update quickly. "
True, but I think we should push out this (known) one rather quickly and then see what other (yet unknown) ones have been fixed as well. Hopefully ClamAV upstream will even consider upgrading their fork to the latest upstream version, or even allow linking against a system-supplied version if there is one.
The fix from comment 1 looks good.
Index: clamav.spec =================================================================== --- clamav.spec (revision 675972b1eb5820906884be5431a9afad) +++ clamav.spec (working copy) @@ -58,8 +58,8 @@ Obsoletes: clamav-db < 0.88.3 PreReq: %_sbindir/groupadd %_sbindir/useradd %_sbindir/usermod PreReq: /usr/bin/awk /bin/sed /bin/tar -Source0: http://www.clamav.net/downloads/%{name}-%{version}.tar.gz -Source10: http://www.clamav.net/downloads/%{name}-%{version}.tar.gz.sig +Source0: http://www.clamav.net/downloads/production/%{name}-%{version}.tar.gz +Source10: http://www.clamav.net/downloads/production/%{name}-%{version}.tar.gz.sig Source11: clamav.keyring Source4: clamav-rpmlintrc Source6: clamav-tmpfiles.conf
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-07-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63715
SUSE-SU-2017:1716-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1040662,1045490 CVE References: CVE-2012-6706 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Server for SAP 12 (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Server 12-SP2 (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Server 12-LTSS (src): clamav-0.99.2-32.1 SUSE Linux Enterprise Desktop 12-SP2 (src): clamav-0.99.2-32.1
https://github.com/vrtadmin/clamav-devel/commit/d4699442bce76574573dc564e7f2177d679b88bd
Hmm - the upstream patch seems to contain more fixes than ours. Shall we re-spin the update using that patch or can we wait for 0.99.3? I've asked upstream if they already have an ETA for the new release.
Hmm, seems to have more fixes. Please submit incremental. one clamav is already out though
SUSE-SU-2017:1763-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1045490,815106 CVE References: CVE-2012-6706 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): clamav-0.99.2-0.19.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): clamav-0.99.2-0.19.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): clamav-0.99.2-0.19.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): clamav-0.99.2-0.19.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): clamav-0.99.2-0.19.1
openSUSE-SU-2017:1797-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1045490 CVE References: CVE-2012-6706 Sources used: openSUSE Leap 42.2 (src): clamav-0.99.2-16.3.1
Whoops, forgot to reassign this. I guess we can close it.