Multipart Nesting Denial of Service

Debian Bug report logs - #401874
Multipart Nesting Denial of Service

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hendrik Weimer <hendrik@enyo.de>

To: submit@bugs.debian.org

Subject: Multipart Nesting Denial of Service

Date: Wed, 06 Dec 2006 15:40:43 +0100

Package: clamav
Version: 0.88.6-1
Tags: security
Severity: important

As reported in http://www.quantenblog.net/security/virus-scanner-bypass 
ClamAV contains a denial of service vulnerability when fed with a mail
containing a large number of multipart layers. This is due to a
recursion-based stack overflow in the function parseEmailBody
(mbox.c). Arbitrary code execution is proably not possible.

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nigel Horne <njh@bandsman.co.uk>

To: Hendrik Weimer <hendrik@enyo.de>, 401874@bugs.debian.org

Cc: submit@bugs.debian.org

Subject: Re: Bug#401874: Multipart Nesting Denial of Service

Date: Wed, 06 Dec 2006 15:17:10 +0000

On Wed, 2006-12-06 at 15:40 +0100, Hendrik Weimer wrote:
> Package: clamav
> Version: 0.88.6-1
> Tags: security
> Severity: important
> 
> As reported in http://www.quantenblog.net/security/virus-scanner-bypass 
> ClamAV contains a denial of service vulnerability when fed with a mail
> containing a large number of multipart layers. This is due to a
> recursion-based stack overflow in the function parseEmailBody
> (mbox.c). Arbitrary code execution is proably not possible.

This is already fixed in 0.90RC2.

-Nigel

Message #20 received at 401874@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: Nigel Horne <njh@bandsman.co.uk>, 401874@bugs.debian.org

Cc: Hendrik Weimer <hendrik@enyo.de>

Subject: Re: Bug#401874: Multipart Nesting Denial of Service

Date: Sun, 10 Dec 2006 16:59:19 +0000

[Message part 1 (text/plain, inline)]

This one time, at band camp, Nigel Horne said:
> On Wed, 2006-12-06 at 15:40 +0100, Hendrik Weimer wrote:
> > 
> > As reported in http://www.quantenblog.net/security/virus-scanner-bypass 
> > ClamAV contains a denial of service vulnerability when fed with a mail
> > containing a large number of multipart layers. This is due to a
> > recursion-based stack overflow in the function parseEmailBody
> > (mbox.c). Arbitrary code execution is proably not possible.
> 
> This is already fixed in 0.90RC2.

Can you point me to the CVS patch that fixes it?  I don't immediately
see it (I do see the patch that fixes the whitespace bypass, but I don't
see the recursion limiter immediately).

Thanks,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 401874@bugs.debian.org (full text, mbox, reply):

From: Nigel Horne <njh@bandsman.co.uk>

To: Stephen Gran <sgran@debian.org>

Cc: 401874@bugs.debian.org, Hendrik Weimer <hendrik@enyo.de>

Subject: Re: Bug#401874: Multipart Nesting Denial of Service

Date: Sun, 10 Dec 2006 17:29:21 +0000

Stephen Gran wrote:
> This one time, at band camp, Nigel Horne said:
>> On Wed, 2006-12-06 at 15:40 +0100, Hendrik Weimer wrote:
>>> As reported in http://www.quantenblog.net/security/virus-scanner-bypass 
>>> ClamAV contains a denial of service vulnerability when fed with a mail
>>> containing a large number of multipart layers. This is due to a
>>> recursion-based stack overflow in the function parseEmailBody
>>> (mbox.c). Arbitrary code execution is proably not possible.
>> This is already fixed in 0.90RC2.
> 
> Can you point me to the CVS patch that fixes it?  I don't immediately
> see it (I do see the patch that fixes the whitespace bypass, but I don't
> see the recursion limiter immediately).

Bugzilla bug 104.

Sun Oct 29 13:54:38 GMT 2006 (njh)
----------------------------------
  * libclamav/mbox.c:   Honour maxarchivelevel when scanning email 
messages.
                        It would be better to have a separate limit for 
that
                        Bugzilla 104


> 
> Thanks,

Message #30 received at 401874-close@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: 401874-close@bugs.debian.org

Subject: Bug#401874: fixed in clamav 0.90~rc2-1

Date: Mon, 11 Dec 2006 15:02:10 +0000

Source: clamav
Source-Version: 0.90~rc2-1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:

clamav-base_0.90~rc2-1_all.deb
  to pool/main/c/clamav/clamav-base_0.90~rc2-1_all.deb
clamav-daemon_0.90~rc2-1_i386.deb
  to pool/main/c/clamav/clamav-daemon_0.90~rc2-1_i386.deb
clamav-dbg_0.90~rc2-1_i386.deb
  to pool/main/c/clamav/clamav-dbg_0.90~rc2-1_i386.deb
clamav-docs_0.90~rc2-1_all.deb
  to pool/main/c/clamav/clamav-docs_0.90~rc2-1_all.deb
clamav-freshclam_0.90~rc2-1_i386.deb
  to pool/main/c/clamav/clamav-freshclam_0.90~rc2-1_i386.deb
clamav-milter_0.90~rc2-1_i386.deb
  to pool/main/c/clamav/clamav-milter_0.90~rc2-1_i386.deb
clamav-testfiles_0.90~rc2-1_all.deb
  to pool/main/c/clamav/clamav-testfiles_0.90~rc2-1_all.deb
clamav_0.90~rc2-1.diff.gz
  to pool/main/c/clamav/clamav_0.90~rc2-1.diff.gz
clamav_0.90~rc2-1.dsc
  to pool/main/c/clamav/clamav_0.90~rc2-1.dsc
clamav_0.90~rc2-1_i386.deb
  to pool/main/c/clamav/clamav_0.90~rc2-1_i386.deb
clamav_0.90~rc2.orig.tar.gz
  to pool/main/c/clamav/clamav_0.90~rc2.orig.tar.gz
libclamav-dev_0.90~rc2-1_i386.deb
  to pool/main/c/clamav/libclamav-dev_0.90~rc2-1_i386.deb
libclamav1_0.90~rc2-1_i386.deb
  to pool/main/c/clamav/libclamav1_0.90~rc2-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 401874@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 11 Dec 2006 13:44:54 +0000
Source: clamav
Binary: clamav libclamav-dev clamav-dbg clamav-milter clamav-base clamav-freshclam clamav-testfiles clamav-daemon libclamav1 clamav-docs
Architecture: source i386 all
Version: 0.90~rc2-1
Distribution: experimental
Urgency: low
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description: 
 clamav     - antivirus scanner for Unix
 clamav-base - base package for clamav, an anti-virus utility for Unix
 clamav-daemon - antivirus scanner daemon
 clamav-dbg - debug symbols for clamav
 clamav-docs - documentation package for clamav, an anti-virus utility for Unix
 clamav-freshclam - downloads clamav virus databases from the Internet
 clamav-milter - antivirus scanner for sendmail
 clamav-testfiles - use these files to test that your Antivirus program works
 libclamav-dev - clam Antivirus library development files
 libclamav1 - virus scanner library
Closes: 316330 401873 401874
Changes: 
 clamav (0.90~rc2-1) experimental; urgency=low
 .
   * New upstream version
     - Can now disable options one by one (closes: #316330)
     - Fixes recursion based DoS (closes: #401874)
   * Patches:
     - Freshen all
     - Delete obsoleted ones
     - 10_base64.dpatch added for MIME bypass (closes: #401873)
   * New config file format dealt with in postinst
   * Freshclam now takes a PidFile argument - we don't need s-s-d to handle it
   * debian/rules check to make sure all config options are handled
Files: 
 12093456834394df63ab44708b40162e 886 utils optional clamav_0.90~rc2-1.dsc
 91da47456ed28a7cfbfe17b033e15121 8706141 utils optional clamav_0.90~rc2.orig.tar.gz
 bc64bf7ac6424a1a0d8e06323a5c36ee 507782 utils optional clamav_0.90~rc2-1.diff.gz
 296c828cdbe7f0811bcea7eec8c88be7 189634 utils optional clamav-base_0.90~rc2-1_all.deb
 3daaa84170171be60bd47157be9e2ace 146000 utils optional clamav-testfiles_0.90~rc2-1_all.deb
 b9d2ad7c28a2f847461b8b59b98341d6 508554 utils optional clamav-docs_0.90~rc2-1_all.deb
 53e5ccf28b1f60a42f2b3a205c0d32e3 329548 libs optional libclamav1_0.90~rc2-1_i386.deb
 0d522b20aa15e6bf390224ef038ae016 191124 utils optional clamav_0.90~rc2-1_i386.deb
 54c2eef3c6aeb41fcec3961b7a4042f7 158900 utils optional clamav-daemon_0.90~rc2-1_i386.deb
 8502bdf5092e2507ddd8cce1be6077e6 7219528 utils optional clamav-freshclam_0.90~rc2-1_i386.deb
 e55a3938e8ff01e79af6c97a68b3bd02 157758 utils extra clamav-milter_0.90~rc2-1_i386.deb
 360a6bc3b075917b1abecda0dff9dd4d 328240 libdevel optional libclamav-dev_0.90~rc2-1_i386.deb
 ecce47cdd97d179cf0004417575718c2 563888 utils extra clamav-dbg_0.90~rc2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFfW3fSYIMHOpZA44RAmvnAKDdGUEAGdu/yizKNAUpYgR/LvUOXwCgoYyS
p742q5fU0GCOQJLQAatxl/U=
=10Le
-----END PGP SIGNATURE-----

Message #35 received at 401874-close@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: 401874-close@bugs.debian.org

Subject: Bug#401874: fixed in clamav 0.88.7-1

Date: Tue, 12 Dec 2006 01:17:03 +0000

Source: clamav
Source-Version: 0.88.7-1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:

clamav-base_0.88.7-1_all.deb
  to pool/main/c/clamav/clamav-base_0.88.7-1_all.deb
clamav-daemon_0.88.7-1_i386.deb
  to pool/main/c/clamav/clamav-daemon_0.88.7-1_i386.deb
clamav-dbg_0.88.7-1_i386.deb
  to pool/main/c/clamav/clamav-dbg_0.88.7-1_i386.deb
clamav-docs_0.88.7-1_all.deb
  to pool/main/c/clamav/clamav-docs_0.88.7-1_all.deb
clamav-freshclam_0.88.7-1_i386.deb
  to pool/main/c/clamav/clamav-freshclam_0.88.7-1_i386.deb
clamav-milter_0.88.7-1_i386.deb
  to pool/main/c/clamav/clamav-milter_0.88.7-1_i386.deb
clamav-testfiles_0.88.7-1_all.deb
  to pool/main/c/clamav/clamav-testfiles_0.88.7-1_all.deb
clamav_0.88.7-1.diff.gz
  to pool/main/c/clamav/clamav_0.88.7-1.diff.gz
clamav_0.88.7-1.dsc
  to pool/main/c/clamav/clamav_0.88.7-1.dsc
clamav_0.88.7-1_i386.deb
  to pool/main/c/clamav/clamav_0.88.7-1_i386.deb
clamav_0.88.7.orig.tar.gz
  to pool/main/c/clamav/clamav_0.88.7.orig.tar.gz
libclamav-dev_0.88.7-1_i386.deb
  to pool/main/c/clamav/libclamav-dev_0.88.7-1_i386.deb
libclamav1_0.88.7-1_i386.deb
  to pool/main/c/clamav/libclamav1_0.88.7-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 401874@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 12 Dec 2006 00:38:02 +0000
Source: clamav
Binary: clamav libclamav-dev clamav-dbg clamav-milter clamav-base clamav-freshclam clamav-testfiles clamav-daemon libclamav1 clamav-docs
Architecture: source i386 all
Version: 0.88.7-1
Distribution: unstable
Urgency: medium
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description: 
 clamav     - antivirus scanner for Unix
 clamav-base - base package for clamav, an anti-virus utility for Unix
 clamav-daemon - antivirus scanner daemon
 clamav-dbg - debug symbols for clamav
 clamav-docs - documentation package for clamav, an anti-virus utility for Unix
 clamav-freshclam - downloads clamav virus databases from the Internet
 clamav-milter - antivirus scanner for sendmail
 clamav-testfiles - use these files to test that your Antivirus program works
 libclamav-dev - clam Antivirus library development files
 libclamav1 - virus scanner library
Closes: 401873 401874
Changes: 
 clamav (0.88.7-1) unstable; urgency=medium
 .
   * New upstream version
     [ CVE-2006-6406 ] MIME encoding scan bypass (closes: #401873)
     [ CVE unavailable ] Nested multipart recursion DoS (closes: #401874)
Files: 
 eece577ecdf03c2a699d3c324cbedbd9 880 utils optional clamav_0.88.7-1.dsc
 34a9d58cf5bcb04dbe3eb32b5367a3f8 9510548 utils optional clamav_0.88.7.orig.tar.gz
 e0c6ae35c83d128c65db2a6cdd28116f 496774 utils optional clamav_0.88.7-1.diff.gz
 7f5eabf74c68437433377d5b5d067c13 174830 utils optional clamav-base_0.88.7-1_all.deb
 4c24b0a0b1a7ea9179ce7b7bd42978a1 131940 utils optional clamav-testfiles_0.88.7-1_all.deb
 fdb498f9e65f0515190cfb12fb8f1113 858244 utils optional clamav-docs_0.88.7-1_all.deb
 e5b038bc83e669d85c22b36042cec887 270380 libs optional libclamav1_0.88.7-1_i386.deb
 dc53da38d9c9f0158b738d3d57f04918 162332 utils optional clamav_0.88.7-1_i386.deb
 4a6239900f4aaa0798d074107979a0f7 137656 utils optional clamav-daemon_0.88.7-1_i386.deb
 1a631fac4b36ba4bb1e223fdbabc93ed 7838438 utils optional clamav-freshclam_0.88.7-1_i386.deb
 5df609a4f06f7f9f4841677d36de6462 134330 utils extra clamav-milter_0.88.7-1_i386.deb
 2024111a531c42e282f8d6cdc506c098 262050 libdevel optional libclamav-dev_0.88.7-1_i386.deb
 443e867623b09e287668deb945cb4e51 450416 utils extra clamav-dbg_0.88.7-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFffrYSYIMHOpZA44RAgj0AKDeiUee7WhcRDPcHzMr6AEohK2iLwCfUR5s
/76xTOjme3xuP+SjYL5c2Dk=
=2UXK
-----END PGP SIGNATURE-----

Message #40 received at 401874-close@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: 401874-close@bugs.debian.org

Subject: Bug#401874: fixed in clamav 0.84-2.sarge.13

Date: Sat, 17 Feb 2007 12:09:55 +0000

Source: clamav
Source-Version: 0.84-2.sarge.13

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:

clamav-base_0.84-2.sarge.13_all.deb
  to pool/main/c/clamav/clamav-base_0.84-2.sarge.13_all.deb
clamav-daemon_0.84-2.sarge.13_i386.deb
  to pool/main/c/clamav/clamav-daemon_0.84-2.sarge.13_i386.deb
clamav-docs_0.84-2.sarge.13_all.deb
  to pool/main/c/clamav/clamav-docs_0.84-2.sarge.13_all.deb
clamav-freshclam_0.84-2.sarge.13_i386.deb
  to pool/main/c/clamav/clamav-freshclam_0.84-2.sarge.13_i386.deb
clamav-milter_0.84-2.sarge.13_i386.deb
  to pool/main/c/clamav/clamav-milter_0.84-2.sarge.13_i386.deb
clamav-testfiles_0.84-2.sarge.13_all.deb
  to pool/main/c/clamav/clamav-testfiles_0.84-2.sarge.13_all.deb
clamav_0.84-2.sarge.13.diff.gz
  to pool/main/c/clamav/clamav_0.84-2.sarge.13.diff.gz
clamav_0.84-2.sarge.13.dsc
  to pool/main/c/clamav/clamav_0.84-2.sarge.13.dsc
clamav_0.84-2.sarge.13_i386.deb
  to pool/main/c/clamav/clamav_0.84-2.sarge.13_i386.deb
libclamav-dev_0.84-2.sarge.13_i386.deb
  to pool/main/c/clamav/libclamav-dev_0.84-2.sarge.13_i386.deb
libclamav1_0.84-2.sarge.13_i386.deb
  to pool/main/c/clamav/libclamav1_0.84-2.sarge.13_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 401874@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 11 Dec 2006 22:34:11 +0000
Source: clamav
Binary: clamav libclamav-dev clamav-milter clamav-base clamav-freshclam clamav-testfiles clamav-daemon libclamav1 clamav-docs
Architecture: source all i386
Version: 0.84-2.sarge.13
Distribution: stable-security
Urgency: low
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description: 
 clamav     - antivirus scanner for Unix
 clamav-base - base package for clamav, an anti-virus utility for Unix
 clamav-daemon - antivirus scanner daemon
 clamav-docs - documentation package for clamav, an anti-virus utility for Unix
 clamav-freshclam - downloads clamav virus databases from the Internet
 clamav-milter - antivirus scanner for sendmail
 clamav-testfiles - use these files to test that your Antivirus program works
 libclamav-dev - clam Antivirus library development files
 libclamav1 - virus scanner library
Closes: 401873 401874
Changes: 
 clamav (0.84-2.sarge.13) stable-security; urgency=low
 .
   * libclamav/message.c: Unusual MIME Encoding Content Filter Bypass
     [ CVE-2006-6406 ] (closes: #401873)
   * clamscan/clamscan.c
     clamscan/manager.c
     clamscan/options.c
     clamav-milter/clamav-milter.c
     shared/cfgparser.c
     clamd/server-th.c
     libclamav/scanners.c
     libclamav/mbox.c
     libclamav/clamav.h
     etc/clamd.conf: nested multipart DoS
     [ CVE-2006-XXXX ] (closes: 401874)
Files: 
 a99fd16ec6cd3597495d66c43d86b085 874 utils optional clamav_0.84-2.sarge.13.dsc
 96f6c6b906aeeb954ab2c87551d2c603 180118 utils optional clamav_0.84-2.sarge.13.diff.gz
 724ad22ce36c7ead6c7f4712bb5f0ff3 155278 utils optional clamav-base_0.84-2.sarge.13_all.deb
 83e7462649f84e9de615de7fb6eb2b54 124236 utils optional clamav-testfiles_0.84-2.sarge.13_all.deb
 e78c2d70bd21ab4825f7bd094b7cf28f 694788 utils optional clamav-docs_0.84-2.sarge.13_all.deb
 4f53bc2e71a80762da1e82bff4117126 255048 libs optional libclamav1_0.84-2.sarge.13_i386.deb
 c460a3ba33fcee90c9f3c91685938b32 65324 utils optional clamav_0.84-2.sarge.13_i386.deb
 ce8929f2ddc2228cec2a2fea5550d38a 40370 utils optional clamav-daemon_0.84-2.sarge.13_i386.deb
 e2fa7b2fe19f04a66770bc606c39e919 2171606 utils optional clamav-freshclam_0.84-2.sarge.13_i386.deb
 81b6c522ebc4461b4b3dd5da0401fe68 38078 utils extra clamav-milter_0.84-2.sarge.13_i386.deb
 2a6ee4c7a6e0b3532160d02e10643d57 159904 libdevel optional libclamav-dev_0.84-2.sarge.13_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFfd+fSYIMHOpZA44RAiPeAJ9T/uBwEKKIHbG1C/hczpvvAOzmVQCgnFdg
2WYVPk8EJWmTBZGp9S4Vz3c=
=ey4d
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.