packages/clamav
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2019-15961

Browse Source
This commit is contained in:
zhanghua1831 2021-02-18 17:40:20 +08:00
parent f4c4ea0782
commit a82537d042
5 changed files with 8159 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1106
CVE-2019-15961-1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

199
CVE-2019-15961-2.patch Normal file
View File

@ -0,0 +1,199 @@
From 482fcd413b07e9fd3ef9850e6d01a45f4e187108 Mon Sep 17 00:00:00 2001
From: Andy Ragusa <aragusa@cisco.com>
Date: Tue, 19 Nov 2019 15:55:47 -0800
Subject: [PATCH] Modified mbox.c only mark files as infected with heuristic
alerts if heuristic alerts are enabled.
---
libclamav/mbox.c | 52 ++++++++++++++++++++++--------------------------
1 file changed, 24 insertions(+), 28 deletions(-)
diff --git a/libclamav/mbox.c b/libclamav/mbox.c
index 684f0d7e34..fc63245255 100644
--- a/libclamav/mbox.c
+++ b/libclamav/mbox.c
@@ -232,11 +232,11 @@ static blob *getHrefs(message *m, tag_arguments_t *hrefs);
static void hrefs_done(blob *b, tag_arguments_t *hrefs);
static void checkURLs(message *m, mbox_ctx *mctx, mbox_status *rc, int is_html);
-static bool haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx);
-static bool hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx);
-static bool haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx);
-static bool haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx);
-static bool haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx);
+static bool haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status * rc);
+static bool hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool * heuristicFound);
+static bool haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool * heuristicFound);
+static bool haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool * heuristicFound);
+static bool haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool * heuristicFound);
/* Maximum line length according to RFC2821 */
#define RFC2821LENGTH 1000
@@ -769,7 +769,7 @@ doContinueMultipleEmptyOptions(const char *const line, bool *lastWasOnlySemi)
}
static bool
-hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx)
+hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool * heuristicFound)
{
if (line) {
@@ -782,6 +782,7 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx)
if ((*lineFoldCnt) >= HEURISTIC_EMAIL_MAX_LINE_FOLDS_PER_HEADER) {
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxLineFoldCnt");
+ *heuristicFound = TRUE;
}
return TRUE;
@@ -791,12 +792,13 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx)
}
static bool
-haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx)
+haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool * heuristicFound)
{
if (totalLen > HEURISTIC_EMAIL_MAX_HEADER_BYTES) {
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxHeaderBytes");
+ *heuristicFound = TRUE;
}
return TRUE;
@@ -805,12 +807,13 @@ haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx)
}
static bool
-haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx)
+haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool * heuristicFound)
{
if (totalHeaderCnt > HEURISTIC_EMAIL_MAX_HEADERS) {
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxEmailHeaders");
+ *heuristicFound = TRUE;
}
return TRUE;
@@ -819,12 +822,13 @@ haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx)
}
static bool
-haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx)
+haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status * rc)
{
if (mimePartCnt >= HEURISTIC_EMAIL_MAX_MIME_PARTS_PER_MESSAGE) {
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEPartsPerMessage");
+ *rc = VIRUS;
}
return TRUE;
@@ -833,12 +837,13 @@ haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx)
}
static bool
-haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx)
+haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool * heuristicFound)
{
if (argCnt >= HEURISTIC_EMAIL_MAX_ARGUMENTS_PER_HEADER) {
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEArguments");
+ *heuristicFound = TRUE;
}
return TRUE;
@@ -899,8 +904,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
continue;
}
- if (hitLineFoldCnt(line, &lineFoldCnt, ctx)) {
- *heuristicFound = TRUE;
+ if (hitLineFoldCnt(line, &lineFoldCnt, ctx, heuristicFound )) {
break;
}
@@ -947,8 +951,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
DO_VERIFY_POINTER(header);
totalHeaderCnt++;
- if (haveTooManyEmailHeaders(totalHeaderCnt, ctx)) {
- *heuristicFound = TRUE;
+ if (haveTooManyEmailHeaders(totalHeaderCnt, ctx, heuristicFound)) {
break;
}
needContinue = (parseEmailHeader(ret, header, rfc821, ctx, heuristicFound) < 0);
@@ -1037,8 +1040,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
if (lineAdded) {
totalHeaderBytes += strlen(line);
- if (haveTooManyHeaderBytes(totalHeaderBytes, ctx)) {
- *heuristicFound = TRUE;
+ if (haveTooManyHeaderBytes(totalHeaderBytes, ctx, heuristicFound)) {
break;
}
}
@@ -1069,8 +1071,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
if (0 == needContinue) {
totalHeaderCnt++;
- if (haveTooManyEmailHeaders(totalHeaderCnt, ctx)) {
- *heuristicFound = TRUE;
+ if (haveTooManyEmailHeaders(totalHeaderCnt, ctx, heuristicFound)) {
break;
}
needContinue = (parseEmailHeader(ret, header, rfc821, ctx, heuristicFound) < 0);
@@ -1205,8 +1206,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound)
continue;
}
- if (hitLineFoldCnt(line, &lineFoldCnt, m->ctx)) {
- *heuristicFound = TRUE;
+ if (hitLineFoldCnt(line, &lineFoldCnt, m->ctx, heuristicFound)) {
break;
}
@@ -1283,8 +1283,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound)
}
if (lineAdded) {
- if (haveTooManyHeaderBytes(fulllinelength, m->ctx)) {
- *heuristicFound = TRUE;
+ if (haveTooManyHeaderBytes(fulllinelength, m->ctx, heuristicFound)) {
break;
}
}
@@ -1306,8 +1305,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound)
}
totalHeaderCnt++;
- if (haveTooManyEmailHeaders(totalHeaderCnt, m->ctx)) {
- *heuristicFound = TRUE;
+ if (haveTooManyEmailHeaders(totalHeaderCnt, m->ctx, heuristicFound)) {
break;
}
if (parseEmailHeader(ret, fullline, rfc821, m->ctx, heuristicFound) < 0) {
@@ -2209,9 +2207,8 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re
free((char *)boundary);
- if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx)) {
+ if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx, &rc)) {
DO_FREE(messages);
- rc = VIRUS;
break;
}
@@ -3290,8 +3287,7 @@ parseMimeHeader(message *m, const char *cmd, const table_t *rfc821Table, const c
cli_dbgmsg("mimeArgs = '%s'\n", buf);
argCnt++;
- if (haveTooManyMIMEArguments(argCnt, ctx)) {
- *heuristicFound = TRUE;
+ if (haveTooManyMIMEArguments(argCnt, ctx, heuristicFound )) {
break;
}
messageAddArguments(m, buf);

94
CVE-2019-15961-pre-1.patch Normal file
View File

@ -0,0 +1,94 @@
From 4619f636cb3a2df8162a3677b6c2918868a953da Mon Sep 17 00:00:00 2001
From: Micah Snyder <micasnyd@cisco.com>
Date: Thu, 31 Oct 2019 16:05:29 -0400
Subject: [PATCH] Fixes null-dereference in mail message parser.
---
libclamav/mbox.c | 16 ++++++++--------
libclamav/message.c | 4 +++-
2 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/libclamav/mbox.c b/libclamav/mbox.c
index d9746f1e95..7fee0cab4c 100644
--- a/libclamav/mbox.c
+++ b/libclamav/mbox.c
@@ -3,7 +3,7 @@
* Copyright (C) 2007-2013 Sourcefire, Inc.
*
* Authors: Nigel Horne
- *
+ *
* Acknowledgements: Some ideas came from Stephen White <stephen@earth.li>,
* Michael Dankov <misha@btrc.ru>, Gianluigi Tiesi <sherpya@netfarm.it>,
* Everton da Silva Marques, Thomas Lamy <Thomas.Lamy@in-online.net>,
@@ -586,7 +586,7 @@ cli_parse_mbox(const char *dir, cli_ctx *ctx)
*/
messageDestroy(body);
}
-
+
if((retcode == CL_CLEAN) && ctx->found_possibly_unwanted &&
(*ctx->virname == NULL || SCAN_ALLMATCHES)) {
retcode = cli_append_virus(ctx, "Heuristics.Phishing.Email");
@@ -1840,8 +1840,8 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re
* must be listed here */
break;
default:
- /* this is a subtype that we
- * don't handle anyway,
+ /* this is a subtype that we
+ * don't handle anyway,
* don't store */
if(messages[multiparts]) {
messageDestroy(messages[multiparts]);
@@ -3617,7 +3617,7 @@ getline_from_mbox(char *buffer, size_t buffer_len, fmap_t *map, size_t *at)
src = cursrc = fmap_need_off_once(map, *at, input_len);
/* we check for eof from the result of GETC()
- * if(feof(fin))
+ * if(feof(fin))
return NULL;*/
if(!src) {
cli_dbgmsg("getline_from_mbox: fmap need failed\n");
@@ -3629,7 +3629,7 @@ getline_from_mbox(char *buffer, size_t buffer_len, fmap_t *map, size_t *at)
}
curbuf = buffer;
-
+
for(i=0; i<buffer_len-1; i++) {
char c;
@@ -3666,7 +3666,7 @@ getline_from_mbox(char *buffer, size_t buffer_len, fmap_t *map, size_t *at)
}
*at += cursrc - src;
*curbuf = '\0';
-
+
return buffer;
}
@@ -3873,7 +3873,7 @@ do_multipart(message *mainMessage, message **messages, int i, mbox_status *rc, m
thisobj = messageGetJObj(aMessage);
if (thisobj == NULL) {
- cli_errmsg("Cannot get message preclass object\n");
+ cli_dbgmsg("Cannot get message preclass object\n");
*rc = -1;
return mainMessage;
}
diff --git a/libclamav/message.c b/libclamav/message.c
index 0e57695f46..c9d382e4a3 100644
--- a/libclamav/message.c
+++ b/libclamav/message.c
@@ -2649,7 +2649,9 @@ isuuencodebegin(const char *line)
#if HAVE_JSON
json_object *messageGetJObj(message *m)
{
- assert(m != NULL);
+ if (m == NULL) {
+ return NULL;
+ }
if(m->jobj == NULL)
m->jobj = cli_jsonobj(NULL, NULL);

6750
CVE-2019-15961-pre-2.patch Normal file
View File

File diff suppressed because it is too large Load Diff

13
clamav.spec
View File

@ -1,10 +1,10 @@
Name: clamav Name: clamav
Summary: End-user tools for the Clam Antivirus scanner Summary: End-user tools for the Clam Antivirus scanner
Version: 0.101.4 Version: 0.101.4
Release: 7 Release: 8
License: GPLv2 License: GPLv2 and Public Domain and bzip2-1.0.6 and Zlib and Apache-2.0
URL: https://www.clamav.net/ URL: https://www.clamav.net/
Source0: https://www.clamav.net/downloads/production/clamav-%version.tar.gz Source0: https://www.clamav.net/downloads/production/clamav-%{version}.tar.gz
Source1: clamd.sysconfig Source1: clamd.sysconfig
Source2: clamd.logrotate Source2: clamd.logrotate
Source3: main-58.cvd Source3: main-58.cvd
@ -26,6 +26,10 @@ Patch0003: clamav-0.99-private.patch
Patch0004: clamav-0.100.0-umask.patch Patch0004: clamav-0.100.0-umask.patch
Patch0005: llvm-glibc.patch Patch0005: llvm-glibc.patch
Patch0006: clamav-Fix-int64-overflow-check.patch Patch0006: clamav-Fix-int64-overflow-check.patch
Patch0007: CVE-2019-15961-pre-1.patch
Patch0008: CVE-2019-15961-pre-2.patch
Patch0009: CVE-2019-15961-1.patch
Patch0010: CVE-2019-15961-2.patch
BuildRequires: autoconf automake gettext-devel libtool libtool-ltdl-devel BuildRequires: autoconf automake gettext-devel libtool libtool-ltdl-devel
BuildRequires: gcc-c++ zlib-devel bzip2-devel gmp-devel curl-devel json-c-devel BuildRequires: gcc-c++ zlib-devel bzip2-devel gmp-devel curl-devel json-c-devel
@ -405,6 +409,9 @@ test -e %_var/log/clamav-milter.log || {
%changelog %changelog
* Thu Feb 18 2021 zhanghua <zhanghua40@huawei.com> - 0.101.4-8
- fix CVE-2019-15961
* Fri Oct 09 2020 lingsheng <lingsheng@huawei.com> - 0.101.4-7 * Fri Oct 09 2020 lingsheng <lingsheng@huawei.com> - 0.101.4-7
- Fix int64 overflow check - Fix int64 overflow check