Bug 1045490

Summary: VUL-0: CVE-2012-6706: clamav: VMSF_DELTA filter allows arbitrary memory write
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann, astieger, max, meissner, sebix+novell.com, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/187141/
See Also: https://bugzilla.clamav.net/show_bug.cgi?id=11859
Whiteboard: maint:running:63715:important maint:released:sle10-sp3:63716
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1045315    
Bug Blocks:    
Deadline: 2017-07-04   
Attachments: Proposed patch

Description Alexander Bergmann 2017-06-22 09:24:45 UTC 
+++ This bug was initially created as a clone of Bug #1045315 +++

This bug was opened to fix the original unrar bug inside the libclamunrar code inside ClamAV.


VMSF_DELTA filter in unrar allows arbitrary memory write

It appears that the VMSF_DELTA memory corruption that was reported to Sophos AV in 2012 (and fixed there) was actually inherited from upstream unrar. For unknown reasons the information did not reach upstream rar or was otherwise lost, and the bug seems to have persisted there to this day.

Base64-encoded RAR file reproducer to trigger the VMSF_DELTA issue:

UmFyIRoHAPlOcwAADgAAAAAAAAAAMAh0AAAmAI4AAAAAAAAAAhBBUiEAAAAAHQAGAAAAACBzdGRv
dXQgIVUMzRDNmBGByDAda+AXaSv4KvQr1K/oejL05mXmXmww5tEk8gA9k8nmieyeyeswuOR6cx69
a2Hd6zQwu3aoMDDwMEswADAAMD4P938w+dydoRFwAmwAAAAAvv////+/////+9W3QFgAAQAGAAAA
Ooimhd12AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

References:
https://blog.fefe.de/?ts=a7b4dd4f
https://bugs.chromium.org/p/project-zero/issues/detail?id=1286&desc=6
Comment 1 Reinhard Max 2017-06-22 12:37:45 UTC 
Created attachment 729856 [details]
Proposed patch

The unrar sources in ClamAV look quite different from current upstream. It looks like their code is based on an old C versioin of unrar while upstream has meanwhile rewritten it in C++.

I've tried to port the patch posted in bug 1045315 to the code in ClamAV. It compiles and runs, but given that the demo archive doesn't even crash an unpatched ClamAV I have no easy smoke test to see if the patch works as intended.

So, please review.
Comment 2 Alexander Bergmann 2017-06-22 12:41:21 UTC 
CVE-2012-6706 was assigned to this issue.
Comment 3 Alexander Bergmann 2017-06-22 13:57:33 UTC 
What makes me a bit nervous is the fact that RARLAB fixed several other potential security issues.

" The RAR developers analyzed the entire rarvm.cpp and found / fixed other issues along with this issue. All users of unrar, and third-party developers that statically link to unrar, are strongly encouraged to update quickly. "
Comment 4 Reinhard Max 2017-06-22 14:04:16 UTC 
True, but I think we should push out this (known) one rather quickly and then see what other (yet unknown) ones have been fixed as well.

Hopefully ClamAV upstream will even consider upgrading their fork to the latest upstream version, or even allow linking against a system-supplied version if there is one.
Comment 5 Alexander Bergmann 2017-06-23 08:28:18 UTC 
The fix from comment 1 looks good.
Comment 14 Andreas Stieger 2017-06-23 12:59:05 UTC 
Index: clamav.spec
===================================================================
--- clamav.spec (revision 675972b1eb5820906884be5431a9afad)
+++ clamav.spec (working copy)
@@ -58,8 +58,8 @@
 Obsoletes:      clamav-db < 0.88.3
 PreReq:         %_sbindir/groupadd %_sbindir/useradd %_sbindir/usermod
 PreReq:         /usr/bin/awk /bin/sed /bin/tar
-Source0:        http://www.clamav.net/downloads/%{name}-%{version}.tar.gz
-Source10:       http://www.clamav.net/downloads/%{name}-%{version}.tar.gz.sig
+Source0:        http://www.clamav.net/downloads/production/%{name}-%{version}.tar.gz
+Source10:       http://www.clamav.net/downloads/production/%{name}-%{version}.tar.gz.sig
 Source11:       clamav.keyring
 Source4:        clamav-rpmlintrc
 Source6:        clamav-tmpfiles.conf
Comment 17 Swamp Workflow Management 2017-06-27 15:23:35 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-07-04.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63715
Comment 18 Swamp Workflow Management 2017-06-29 16:11:12 UTC 
SUSE-SU-2017:1716-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1040662,1045490
CVE References: CVE-2012-6706
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    clamav-0.99.2-32.1
SUSE Linux Enterprise Server for SAP 12 (src):    clamav-0.99.2-32.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    clamav-0.99.2-32.1
SUSE Linux Enterprise Server 12-SP2 (src):    clamav-0.99.2-32.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    clamav-0.99.2-32.1
SUSE Linux Enterprise Server 12-LTSS (src):    clamav-0.99.2-32.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    clamav-0.99.2-32.1
Comment 20 Reinhard Max 2017-06-30 08:17:58 UTC 
Hmm - the upstream patch seems to contain more fixes than ours. Shall we re-spin the update using that patch or can we wait for 0.99.3? I've asked upstream if they already have an ETA for the new release.
Comment 21 Marcus Meissner 2017-06-30 13:46:49 UTC 
Hmm, seems to have more fixes.

Please submit incremental.

one clamav is already out though
Comment 22 Swamp Workflow Management 2017-07-03 19:11:35 UTC 
SUSE-SU-2017:1763-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1045490,815106
CVE References: CVE-2012-6706
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    clamav-0.99.2-0.19.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    clamav-0.99.2-0.19.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    clamav-0.99.2-0.19.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    clamav-0.99.2-0.19.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    clamav-0.99.2-0.19.1
Comment 23 Swamp Workflow Management 2017-07-06 19:10:15 UTC 
openSUSE-SU-2017:1797-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1045490
CVE References: CVE-2012-6706
Sources used:
openSUSE Leap 42.2 (src):    clamav-0.99.2-16.3.1
Comment 24 Reinhard Max 2017-09-07 09:34:36 UTC 
Whoops, forgot to reassign this. I guess we can close it.