Bugzilla – Bug 935939
VUL-0: CVE-2015-2278 CVE-2015-2282: clamsap: security fixes
Last modified: 2016-04-27 19:41:26 UTC
via clamsap update - Security fix for compression, see CVE-2015-2282 and CVE-2015-2278 CVE-2015-2278 is: The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. CVE-2015-2282 is: Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.
(in OBS security/clamsap)
bugbot adjusting priority
FATE#319044: [ECO] Update clamsap was approved. please submit fixed packages.
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Dec. 31, 2015". When done, reassign the bug to "security-team@suse.de". /update/121180/.
clamav.h needs openssl headers present, so add BuildRequires: libopenssl-devel
(In reply to Marcus Meissner from comment #8) > clamav.h needs openssl headers present, so add > > BuildRequires: libopenssl-devel Thanks: created request id 86966, 86970
Some details can be found here: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities The following is a diff between the old version clamsap-0.9.8.0) and clamsap-0.98.9. Inside src/csdecompr.c: The "7.1. LZC decompression stack-based buffer overflow" CVE-2015-2282 is fixed here: 333 @@ -2984,6 +3034,10 @@ int CsDecomprLZC (CSC * csc, 334 /* Generate output characters in reverse order ...................*/ 335 while (code >= 256) 336 { 337 + /* Check for end of stack */ 338 + if (stackp >= (DE_STACK + DE_STACK_OFFSET)){ 339 + return (CS_E_STACK_OVERFLOW); 340 + } 341 *stackp++ = TAB_SUFFIXOF(code); 342 OVERFLOW_CHECK 343 code = TAB_PREFIXOF(code); The "7.2. LZH decompression out-of-bounds read" issue CVE-2015-2278 is handled here: 321 @@ -1937,6 +1982,11 @@ int BuildHufTree (CSHU *cshu, 322 } 323 else 324 { 325 + /* Added check for out-of-bounds read of e & d arrays */ 326 + if ((*p - s) >= (LENGTH_CODES + 2)){ 327 + return (CS_E_BAD_HUF_TREE); 328 + } 329 + 330 r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/ 331 r.v.n = (unsigned short) d[*p - s]; 332 p++;
released
SUSE-SU-2016:0805-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 935939 CVE References: CVE-2015-2278,CVE-2015-2282 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): clamsap-0.98.9-4.1
SUSE-SU-2016:0807-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 935939 CVE References: CVE-2015-2278,CVE-2015-2282 Sources used: SUSE Linux Enterprise Server for SAP 11-SP4 (src): clamsap-0.98.9-0.7.1