Bug 724856 – VUL-0: clamav recursion level crash

Bug 724856 - VUL-0: clamav recursion level crash


Summary:	VUL-0: clamav recursion level crash

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:	maint:released:11.3:43738 maint:relea...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2011-10-18 12:24 UTC by Sebastian Krahmer
Modified:	2017-12-03 09:03 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2011-10-18 12:24:48 UTC

Via OSS-sec:


Date: Tue, 18 Oct 2011 12:39:59 +0200
From: Hanno Böck
To: oss-security


Sadly, as we know, upstream clamav doesn't care about publishing
security advisories. They even seem to have stopped to publish new
versions on their -announce-list, so the only way to see changes is to
dig into the tar-file and see the Changelog.

This one here sounds like security relevant:
Sat Oct  8 12:10:13 EEST 2011 (edwin)
-------------------------------------
 * libclamav/bytecode.c,bytecode_api.c: fix recursion level crash (bb
   #3706).
Upstream bug is invisible to the public. Please assign CVE



Maybe others have a look at the full Changelog, but I think the rest
sounds non-security-relevant:
Mon Oct 17 18:04:30 CEST 2011 (tk)
----------------------------------
 * V 0.97.3

Mon Oct 10 14:41:48 CEST 2011 (tk)
----------------------------------
 * freshclam/manager.c: fix error when compiling without DNS support
(bb#3056)

Sat Oct  8 12:19:49 EEST 2011 (edwin)
-------------------------------------
 * libclamav/pdf.c: flag and dump PDF objects with /Launch (bb #3514)

Sat Oct  8 12:10:13 EEST 2011 (edwin)
-------------------------------------
 * libclamav/bytecode.c,bytecode_api.c: fix recursion level crash (bb
#3706).

Tue Aug  2 17:03:33 CEST 2011 (tk)
----------------------------------
 * docs: clarify behavior of --scan-*/Scan* options (bb#3134)

Mon Jul 25 16:09:19 EEST 2011 (edwin)
-------------------------------------
 * libclamav/bytecode_vm.c: fix opcode 20 error (bb #3100)

Thu Sep 15 14:44:11 CEST 2011 (tk)
----------------------------------
 * freshclam: fix pidfile removal (bb#3499)

Sun Aug 21 17:05:24 EEST 2011 (edwin)
-------------------------------------
 * libclamav/pdf.c:  fix incorrect blocking of some encrypted PDF with
empty user passwords. (bb #3364)

Wed Aug  3 15:41:28 CEST 2011 (tk)
----------------------------------
 * sigtool/sigtool.c: fix calculation of max signature length

Comment 1 Sebastian Krahmer 2011-10-19 06:47:22 UTC

CVE-2011-3627

Comment 2 Swamp Workflow Management 2011-10-19 08:21:24 UTC

The SWAMPID for this issue is 43729.
This issue was rated as moderate.
Please submit fixed packages until 2011-11-02.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 3 Bernhard Wiedemann 2011-10-19 12:00:31 UTC

This is an autogenerated message for OBS integration:
This bug (724856) was mentioned in
https://build.opensuse.org/request/show/88699 Factory / clamav
https://build.opensuse.org/request/show/88700 11.4 / clamav
https://build.opensuse.org/request/show/88701 11.3 / clamav

Comment 4 Bernhard Wiedemann 2011-10-19 14:00:29 UTC

This is an autogenerated message for OBS integration:
This bug (724856) was mentioned in
https://build.opensuse.org/request/show/88722 11.3 / clamav
https://build.opensuse.org/request/show/88723 11.4 / clamav
https://build.opensuse.org/request/show/88724 Factory / clamav

Comment 5 Reinhard Max 2011-10-19 14:09:21 UTC

Packages submitted to the openSUSE projects mentioned above, and to SLE10-SP3, SLE10-SP4, SLE11-SP1, and SLE11-SP2.

Comment 11 Swamp Workflow Management 2011-10-24 09:07:15 UTC

Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)

Comment 12 Sebastian Krahmer 2011-10-24 09:07:46 UTC

done

Comment 13 Swamp Workflow Management 2011-10-24 12:09:33 UTC

Update released for: clamav, clamav-db, clamav-debuginfo
Products:
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 14 Swamp Workflow Management 2011-10-24 14:08:28 UTC

Update released for: clamav, clamav-db, clamav-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Comment 15 Swamp Workflow Management 2011-10-24 14:26:00 UTC

Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Comment 16 Swamp Workflow Management 2011-10-24 17:12:52 UTC

Update released for: clamav, clamav-db
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)

Comment 17 Bernhard Wiedemann 2011-10-25 10:00:24 UTC

This is an autogenerated message for OBS integration:
This bug (724856) was mentioned in
https://build.opensuse.org/request/show/89250 Evergreen:11.1 / clamav

Comment 18 Bernhard Wiedemann 2017-12-03 09:03:10 UTC

This is an autogenerated message for OBS integration:
This bug (724856) was mentioned in
https://build.opensuse.org/request/show/547654 15.0 / clamav