[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/etch-security, updated. 594a24f3c0e57e508385e31054db831241cfaa56

Stephen Gran steve at lobefin.net
Fri Sep 5 16:07:48 UTC 2008 

The following commit has been merged in the debian/etch-security branch:
commit d5cd70074f598a80b7ee264779ba3bd57f3e86ed
Author: Stephen Gran <steve at lobefin.net>
Date:   Fri Sep 5 16:57:42 2008 +0100

    libclamav/message.c, mbox.c: fix out-of-memory null dereference in mbox/message (bb#1141)
    
    git-svn-id: http://svn.clamav.net/svn/clamav-devel/trunk@4158 77e5149b-7576-45b1-b177-96237e5ba77b
    
    Conflicts:
    
    	libclamav/message.h
    
    Signed-off-by: Stephen Gran <steve at lobefin.net>

diff --git a/debian/changelog b/debian/changelog
index f8f6311..6b7ada6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.90.1dfsg-4etch15) stable-security; urgency=low
+
+  * [CVE-2008-3912]: libclamav/mbox.c, libclamav/message.c: out-of-memory null
+    dereferences
+
+ -- Stephen Gran <sgran at debian.org>  Fri, 05 Sep 2008 15:31:07 +0100
+
 clamav (0.90.1dfsg-3.1+etch14) stable-security; urgency=high
 
   * Non-maintainer upload by the security team
diff --git a/debian/patches/00list b/debian/patches/00list
index 11edb49..be5f1d3 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -20,3 +20,4 @@
 42.pe.c.CVE-2008-1100.dpatch
 43.spin.c.CVE-2008-1387.dpatch
 44.petite.c.CVE-2008-2713.dpatch
+45.mbox.c.CVE-2008-3912.dpatch
diff --git a/debian/patches/45.mbox.c.CVE-2008-3912.dpatch b/debian/patches/45.mbox.c.CVE-2008-3912.dpatch
new file mode 100644
index 0000000..0157a41
--- /dev/null
+++ b/debian/patches/45.mbox.c.CVE-2008-3912.dpatch
@@ -0,0 +1,104 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 45.mbox.c.CVE-2008-3912.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix out-of-memory null dereference
+
+ at DPATCH@
+diff --git a/libclamav/mbox.c b/libclamav/mbox.c
+index 0b90329..dd85950 100644
+--- a/libclamav/mbox.c
++++ b/libclamav/mbox.c
+@@ -1528,6 +1528,8 @@ cli_parse_mbox(const char *dir, int desc, cli_ctx *ctx)
+ 			}
+ 		}
+ 
++		if(body->isTruncated && retcode == CL_SUCCESS)
++			retcode = CL_EMEM;
+ 		/*
+ 		 * Tidy up and quit
+ 		 */
+@@ -1684,6 +1686,11 @@ parseEmailFile(FILE *fin, const table_t *rfc821, const char *firstLine, const ch
+ 					}
+ 					fullline = cli_strdup(line);
+ 					fulllinelength = strlen(line) + 1;
++					if(!fullline) {
++						if(ret)
++							ret->isTruncated = TRUE;
++						break;
++					}
+ 				} else if(line != NULL) {
+ 					fulllinelength += strlen(line);
+ 					ptr = cli_realloc(fullline, fulllinelength);
+diff --git a/libclamav/message.c b/libclamav/message.c
+index a123955..bd87f11 100644
+--- a/libclamav/message.c
++++ b/libclamav/message.c
+@@ -1674,14 +1674,13 @@ messageToText(message *m)
+ 				for(t_line = messageGetBody(m); t_line; t_line = t_line->t_next) {
+ 					if(first == NULL)
+ 						first = last = cli_malloc(sizeof(text));
+-					else {
++					else if (last) {
+ 						last->t_next = cli_malloc(sizeof(text));
+ 						last = last->t_next;
+ 					}
+ 
+ 					if(last == NULL) {
+ 						if(first) {
+-							last->t_next = NULL;
+ 							textDestroy(first);
+ 						}
+ 						return NULL;
+@@ -1695,7 +1694,8 @@ messageToText(message *m)
+ 			case UUENCODE:
+ 				cli_errmsg("messageToText: Unexpected attempt to handle uuencoded file - report to http://bugs.clamav.net\n");
+ 				if(first) {
+-					last->t_next = NULL;
++					if(last)
++						last->t_next = NULL;
+ 					textDestroy(first);
+ 				}
+ 				return NULL;
+@@ -1705,7 +1705,8 @@ messageToText(message *m)
+ 				if(t_line == NULL) {
+ 					/*cli_warnmsg("YENCODED attachment is missing begin statement\n");*/
+ 					if(first) {
+-						last->t_next = NULL;
++						if(last)
++							last->t_next = NULL;
+ 						textDestroy(first);
+ 					}
+ 					return NULL;
+@@ -1741,7 +1742,7 @@ messageToText(message *m)
+ 
+ 			if(first == NULL)
+ 				first = last = cli_malloc(sizeof(text));
+-			else {
++			else if (last) {
+ 				last->t_next = cli_malloc(sizeof(text));
+ 				last = last->t_next;
+ 			}
+@@ -1779,7 +1780,7 @@ messageToText(message *m)
+ 			if(decode(m, NULL, data, base64, FALSE) && data[0]) {
+ 				if(first == NULL)
+ 					first = last = cli_malloc(sizeof(text));
+-				else {
++				else if (last) {
+ 					last->t_next = cli_malloc(sizeof(text));
+ 					last = last->t_next;
+ 				}
+diff --git a/libclamav/message.h b/libclamav/message.h
+index b8f30c0..ecef63a 100644
+--- a/libclamav/message.h
++++ b/libclamav/message.h
+@@ -44,6 +44,9 @@ typedef struct message {
+ 	text	*yenc;		/* start of a yEnc message */
+ 	text	*encoding;	/* is the non MIME message encoded? */
+ 	const text	*dedupedThisFar;
++
++	unsigned        int     isTruncated  : 1;
++
+ } message;
+ 
+ message	*messageCreate(void);

-- 
Debian repository for ClamAV

More information about the Pkg-clamav-commits mailing list