clamav: Security fix for CVE-2024-20505 and CVE-2024-20506kirkstone

CVES fixed: - CVE-2024-20505 clamav: out-of-bounds read bug in the PDF file parser - CVE-2024-20506 clamav: ClamD process writes to log file while privileged without checking if its been replaced with a symlink Upstream-Status: Backport from https://github.com/Cisco-Talos/clamav/commit/8915bd22570ee608907f1b88a68e587d17813812, https://github.com/Cisco-Talos/clamav/commit/88efeda2a4cb93a69cf0994c02a8987f06fa204d Signed-off-by: Rohini Sangam <rsangam@mvista.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Rohini Sangam <rsangam@mvista.com> 2024-09-10 14:41:29 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-09-15 10:58:59 -0400
commit: b9cf9cd639bc8d1b4828eb0bd012b71486d35176 (patch)
tree: a577080488746db8b34fff7cdecb83908684c35b
parent: c50ef2937abb15c0c54994641746d0d88dcf6355 (diff)
download: meta-security-kirkstone.tar.gz
3 files changed, 216 insertions, 0 deletions
diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb
index 18e8329..0a6b92a 100644
--- a/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -21,6 +21,8 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104;protocol=http
    file://headers_fixup.patch \
    file://oe_cmake_fixup.patch \
    file://fix_systemd_socket.patch \
+    file://CVE-2024-20505.patch \
+    file://CVE-2024-20506.patch \
 "
 S = "${WORKDIR}/git"
diff --git a/recipes-scanners/clamav/files/CVE-2024-20505.patch b/recipes-scanners/clamav/files/CVE-2024-20505.patch
new file mode 100644
index 0000000..72db71f
--- /dev/null
+++ b/recipes-scanners/clamav/files/CVE-2024-20505.patch
@@ -0,0 +1,101 @@
+From 8915bd22570ee608907f1b88a68e587d17813812 Mon Sep 17 00:00:00 2001
+From: Micah Snyder <micasnyd@cisco.com>
+Date: Tue, 16 Jul 2024 11:22:05 -0400
+Subject: [PATCH] CVE-2024-20505: Fix possible out of bounds read in PDF parser
+Upstream-Status: Backport from https://github.com/Cisco-Talos/clamav/commit/8915bd22570ee608907f1b88a68e587d17813812
+CVE: CVE-2024-20505
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ libclamav/pdf.c   | 46 ++++++++++++++++++++++++++++++++++++++++------
+ libclamav/pdfng.c |  5 +++++
+ 2 files changed, 45 insertions(+), 6 deletions(-)
+diff --git a/libclamav/pdf.c b/libclamav/pdf.c
+index a52833520..6b408dbe8 100644
+--- a/libclamav/pdf.c
+++ b/libclamav/pdf.c
+@@ -1009,8 +1009,26 @@ static size_t find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const cha
+                 return 0;
+             }
+ 
+-            indirect_obj_start = pdf->map + obj->start;
+-            bytes_remaining    = pdf->size - obj->start;
+            if (NULL == obj->objstm) {
+                indirect_obj_start = (const char *)(obj->start + pdf->map);
+
+                if (!CLI_ISCONTAINED(pdf->map, pdf->size, indirect_obj_start, obj->size)) {
+                    cli_dbgmsg("find_length: indirect object found, but not contained in PDF\n");
+                    return 0;
+                }
+
+                bytes_remaining = pdf->size - obj->start;
+
+            } else {
+                indirect_obj_start = (const char *)(obj->start + obj->objstm->streambuf);
+
+                if (!CLI_ISCONTAINED(obj->objstm->streambuf, obj->objstm->streambuf_len, indirect_obj_start, obj->size)) {
+                    cli_dbgmsg("find_length: indirect object found, but not contained in PDF streambuf\n");
+                    return 0;
+                }
+
+                bytes_remaining = obj->objstm->streambuf_len - obj->start;
+            }
+ 
+             /* Ok so we found the indirect object, lets read the value. */
+             index = pdf_nextobject(indirect_obj_start, bytes_remaining);
+@@ -3095,14 +3113,30 @@ void pdf_handle_enc(struct pdf_struct *pdf)
+ 
+     obj = find_obj(pdf, pdf->objs[0], pdf->enc_objid);
+     if (!obj) {
+-        cli_dbgmsg("pdf_handle_enc: can't find encrypted object %d %d\n", pdf->enc_objid >> 8, pdf->enc_objid & 0xff);
+-        noisy_warnmsg("pdf_handle_enc: can't find encrypted object %d %d\n", pdf->enc_objid >> 8, pdf->enc_objid & 0xff);
+        cli_dbgmsg("pdf_handle_enc: can't find encryption object %d %d\n", pdf->enc_objid >> 8, pdf->enc_objid & 0xff);
+        noisy_warnmsg("pdf_handle_enc: can't find encryption object %d %d\n", pdf->enc_objid >> 8, pdf->enc_objid & 0xff);
+         return;
+     }
+ 
+     len = obj->size;
+-    q   = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
+-                      : (const char *)(obj->start + pdf->map);
+
+    if (NULL == obj->objstm) {
+        q = (const char *)(obj->start + pdf->map);
+
+        if (!CLI_ISCONTAINED(pdf->map, pdf->size, q, len)) {
+            cli_dbgmsg("pdf_handle_enc: encryption object found, but not contained in PDF\n");
+            noisy_warnmsg("pdf_handle_enc: encryption object found, but not contained in PDF\n");
+            return;
+        }
+    } else {
+        q = (const char *)(obj->start + obj->objstm->streambuf);
+
+        if (!CLI_ISCONTAINED(obj->objstm->streambuf, obj->objstm->streambuf_len, q, len)) {
+            cli_dbgmsg("pdf_handle_enc: encryption object found, but not contained in PDF streambuf\n");
+            noisy_warnmsg("pdf_handle_enc: encryption object found, but not contained in PDF streambuf\n");
+            return;
+        }
+    }
+ 
+     O = U = UE = StmF = StrF = EFF = NULL;
+     do {
+diff --git a/libclamav/pdfng.c b/libclamav/pdfng.c
+index 98c67a2cd..164de37d6 100644
+--- a/libclamav/pdfng.c
+++ b/libclamav/pdfng.c
+@@ -450,6 +450,11 @@ char *pdf_parse_string(struct pdf_struct *pdf, struct pdf_obj *obj, const char *
+         if (!(newobj))
+             return NULL;
+ 
+       if (!CLI_ISCONTAINED(pdf->map, pdf->size, newobj->start, newobj->size)) {
+            cli_dbgmsg("pdf_parse_string: object not contained in PDF\n");
+            return NULL;
+        }
+
+         if (newobj == obj)
+             return NULL;
+ 
+-- 
+2.35.7
diff --git a/recipes-scanners/clamav/files/CVE-2024-20506.patch b/recipes-scanners/clamav/files/CVE-2024-20506.patch
new file mode 100644
index 0000000..27465c9
--- /dev/null
+++ b/recipes-scanners/clamav/files/CVE-2024-20506.patch
@@ -0,0 +1,113 @@
+From 88efeda2a4cb93a69cf0994c02a8987f06fa204d Mon Sep 17 00:00:00 2001
+From: Micah Snyder <micasnyd@cisco.com>
+Date: Mon, 26 Aug 2024 14:00:51 -0400
+Subject: [PATCH] CVE-2024-20506: Disable following symlinks when opening log files 
+Upstream-Status: Backport from https://github.com/Cisco-Talos/clamav/commit/88efeda2a4cb93a69cf0994c02a8987f06fa204d
+CVE: CVE-2024-20506
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ common/output.c | 50 ++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 39 insertions(+), 11 deletions(-)
+diff --git a/common/output.c b/common/output.c
+index 8d66f62a1..99aa711b9 100644
+--- a/common/output.c
+++ b/common/output.c
+@@ -58,6 +58,12 @@
+ 
+ #include "output.h"
+ 
+// Define O_NOFOLLOW for systems that don't have it.
+// Notably, Windows doesn't have O_NOFOLLOW.
+#ifndef O_NOFOLLOW
+#define O_NOFOLLOW 0
+#endif
+
+ #ifdef CL_THREAD_SAFE
+ #include <pthread.h>
+ pthread_mutex_t logg_mutex     = PTHREAD_MUTEX_INITIALIZER;
+@@ -323,7 +329,6 @@ int logg(const char *str, ...)
+     char buffer[1025], *abuffer = NULL, *buff;
+     time_t currtime;
+     size_t len;
+-    mode_t old_umask;
+ #ifdef F_WRLCK
+     struct flock fl;
+ #endif
+@@ -357,18 +362,36 @@ int logg(const char *str, ...)
+     logg_open();
+ 
+     if (!logg_fp && logg_file) {
+-        old_umask = umask(0037);
+-        if ((logg_fp = fopen(logg_file, "at")) == NULL) {
+-            umask(old_umask);
+       int logg_file_fd = -1;
+
+        logg_file_fd = open(logg_file, O_WRONLY | O_CREAT | O_APPEND | O_NOFOLLOW, 0640);
+        if (-1 == logg_file_fd) {
+            char errbuf[128];
+            cli_strerror(errno, errbuf, sizeof(errbuf));
+            printf("ERROR: Failed to open log file %s: %s\n", logg_file, errbuf);
+
+ #ifdef CL_THREAD_SAFE
+             pthread_mutex_unlock(&logg_mutex);
+ #endif
+-            printf("ERROR: Can't open %s in append mode (check permissions!).\n", logg_file);
+-            if (len > sizeof(buffer))
+            if (abuffer)
+                 free(abuffer);
+             return -1;
+-        } else
+-            umask(old_umask);
+        }
+
+        logg_fp = fdopen(logg_file_fd, "at");
+        if (NULL == logg_fp) {
+            char errbuf[128];
+            cli_strerror(errno, errbuf, sizeof(errbuf));
+            printf("ERROR: Failed to convert the open log file descriptor for %s to a FILE* handle: %s\n", logg_file, errbuf);
+
+            close(logg_file_fd);
+#ifdef CL_THREAD_SAFE
+            pthread_mutex_unlock(&logg_mutex);
+#endif
+            if (abuffer)
+                free(abuffer);
+            return -1;
+        }
+ 
+ #ifdef F_WRLCK
+         if (logg_lock) {
+@@ -381,11 +404,16 @@ int logg(const char *str, ...)
+                 else
+ #endif
+                 {
+                   char errbuf[128];
+                    cli_strerror(errno, errbuf, sizeof(errbuf));
+                    printf("ERROR: Failed to lock the log file %s: %s\n", logg_file, errbuf);
+
+ #ifdef CL_THREAD_SAFE
+                     pthread_mutex_unlock(&logg_mutex);
+ #endif
+-                    printf("ERROR: %s is locked by another process\n", logg_file);
+-                    if (len > sizeof(buffer))
+                    fclose(logg_fp);
+                    logg_fp = NULL;
+                    if (abuffer)
+                         free(abuffer);
+                     return -1;
+                 }
+@@ -462,7 +490,7 @@ int logg(const char *str, ...)
+     pthread_mutex_unlock(&logg_mutex);
+ #endif
+ 
+-    if (len > sizeof(buffer))
+    if (abuffer)
+         free(abuffer);
+     return 0;
+ }
+-- 
+2.35.7
author	Rohini Sangam <rsangam@mvista.com>	2024-09-10 14:41:29 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-09-15 10:58:59 -0400
commit	b9cf9cd639bc8d1b4828eb0bd012b71486d35176 (patch)
tree	a577080488746db8b34fff7cdecb83908684c35b
parent	c50ef2937abb15c0c54994641746d0d88dcf6355 (diff)
download	meta-security-kirkstone.tar.gz

diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb index 18e8329..0a6b92a 100644 --- a/recipes-scanners/clamav/clamav_0.104.0.bb +++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -21,6 +21,8 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104;protocol=http
21	file://headers_fixup.patch \	21	file://headers_fixup.patch \
22	file://oe_cmake_fixup.patch \	22	file://oe_cmake_fixup.patch \
23	file://fix_systemd_socket.patch \	23	file://fix_systemd_socket.patch \
		24	file://CVE-2024-20505.patch \
		25	file://CVE-2024-20506.patch \
24	"	26	"
25	S = "${WORKDIR}/git"	27	S = "${WORKDIR}/git"
26		28


diff --git a/recipes-scanners/clamav/files/CVE-2024-20505.patch b/recipes-scanners/clamav/files/CVE-2024-20505.patch new file mode 100644 index 0000000..72db71f --- /dev/null +++ b/recipes-scanners/clamav/files/CVE-2024-20505.patch
@@ -0,0 +1,101 @@
		1	From 8915bd22570ee608907f1b88a68e587d17813812 Mon Sep 17 00:00:00 2001
		2	From: Micah Snyder <micasnyd@cisco.com>
		3	Date: Tue, 16 Jul 2024 11:22:05 -0400
		4	Subject: [PATCH] CVE-2024-20505: Fix possible out of bounds read in PDF parser
		5
		6	Upstream-Status: Backport from https://github.com/Cisco-Talos/clamav/commit/8915bd22570ee608907f1b88a68e587d17813812
		7	CVE: CVE-2024-20505
		8
		9	Signed-off-by: Rohini Sangam <rsangam@mvista.com>
		10	---
		11	libclamav/pdf.c \| 46 ++++++++++++++++++++++++++++++++++++++++------
		12	libclamav/pdfng.c \| 5 +++++
		13	2 files changed, 45 insertions(+), 6 deletions(-)
		14
		15	diff --git a/libclamav/pdf.c b/libclamav/pdf.c
		16	index a52833520..6b408dbe8 100644
		17	--- a/libclamav/pdf.c
		18	+++ b/libclamav/pdf.c
		19	@@ -1009,8 +1009,26 @@ static size_t find_length(struct pdf_struct pdf, struct pdf_obj obj, const cha
		20	return 0;
		21	}
		22
		23	- indirect_obj_start = pdf->map + obj->start;
		24	- bytes_remaining = pdf->size - obj->start;
		25	+ if (NULL == obj->objstm) {
		26	+ indirect_obj_start = (const char *)(obj->start + pdf->map);
		27	+
		28	+ if (!CLI_ISCONTAINED(pdf->map, pdf->size, indirect_obj_start, obj->size)) {
		29	+ cli_dbgmsg("find_length: indirect object found, but not contained in PDF\n");
		30	+ return 0;
		31	+ }
		32	+
		33	+ bytes_remaining = pdf->size - obj->start;
		34	+
		35	+ } else {
		36	+ indirect_obj_start = (const char *)(obj->start + obj->objstm->streambuf);
		37	+
		38	+ if (!CLI_ISCONTAINED(obj->objstm->streambuf, obj->objstm->streambuf_len, indirect_obj_start, obj->size)) {
		39	+ cli_dbgmsg("find_length: indirect object found, but not contained in PDF streambuf\n");
		40	+ return 0;
		41	+ }
		42	+
		43	+ bytes_remaining = obj->objstm->streambuf_len - obj->start;
		44	+ }
		45
		46	/* Ok so we found the indirect object, lets read the value. */
		47	index = pdf_nextobject(indirect_obj_start, bytes_remaining);
		48	@@ -3095,14 +3113,30 @@ void pdf_handle_enc(struct pdf_struct *pdf)
		49
		50	obj = find_obj(pdf, pdf->objs[0], pdf->enc_objid);
		51	if (!obj) {
		52	- cli_dbgmsg("pdf_handle_enc: can't find encrypted object %d %d\n", pdf->enc_objid >> 8, pdf->enc_objid & 0xff);
		53	- noisy_warnmsg("pdf_handle_enc: can't find encrypted object %d %d\n", pdf->enc_objid >> 8, pdf->enc_objid & 0xff);
		54	+ cli_dbgmsg("pdf_handle_enc: can't find encryption object %d %d\n", pdf->enc_objid >> 8, pdf->enc_objid & 0xff);
		55	+ noisy_warnmsg("pdf_handle_enc: can't find encryption object %d %d\n", pdf->enc_objid >> 8, pdf->enc_objid & 0xff);
		56	return;
		57	}
		58
		59	len = obj->size;
		60	- q = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
		61	- : (const char *)(obj->start + pdf->map);
		62	+
		63	+ if (NULL == obj->objstm) {
		64	+ q = (const char *)(obj->start + pdf->map);
		65	+
		66	+ if (!CLI_ISCONTAINED(pdf->map, pdf->size, q, len)) {
		67	+ cli_dbgmsg("pdf_handle_enc: encryption object found, but not contained in PDF\n");
		68	+ noisy_warnmsg("pdf_handle_enc: encryption object found, but not contained in PDF\n");
		69	+ return;
		70	+ }
		71	+ } else {
		72	+ q = (const char *)(obj->start + obj->objstm->streambuf);
		73	+
		74	+ if (!CLI_ISCONTAINED(obj->objstm->streambuf, obj->objstm->streambuf_len, q, len)) {
		75	+ cli_dbgmsg("pdf_handle_enc: encryption object found, but not contained in PDF streambuf\n");
		76	+ noisy_warnmsg("pdf_handle_enc: encryption object found, but not contained in PDF streambuf\n");
		77	+ return;
		78	+ }
		79	+ }
		80
		81	O = U = UE = StmF = StrF = EFF = NULL;
		82	do {
		83	diff --git a/libclamav/pdfng.c b/libclamav/pdfng.c
		84	index 98c67a2cd..164de37d6 100644
		85	--- a/libclamav/pdfng.c
		86	+++ b/libclamav/pdfng.c
		87	@@ -450,6 +450,11 @@ char pdf_parse_string(struct pdf_struct pdf, struct pdf_obj obj, const char
		88	if (!(newobj))
		89	return NULL;
		90
		91	+ if (!CLI_ISCONTAINED(pdf->map, pdf->size, newobj->start, newobj->size)) {
		92	+ cli_dbgmsg("pdf_parse_string: object not contained in PDF\n");
		93	+ return NULL;
		94	+ }
		95	+
		96	if (newobj == obj)
		97	return NULL;
		98
		99	--
		100	2.35.7
		101


diff --git a/recipes-scanners/clamav/files/CVE-2024-20506.patch b/recipes-scanners/clamav/files/CVE-2024-20506.patch new file mode 100644 index 0000000..27465c9 --- /dev/null +++ b/recipes-scanners/clamav/files/CVE-2024-20506.patch
@@ -0,0 +1,113 @@
		1	From 88efeda2a4cb93a69cf0994c02a8987f06fa204d Mon Sep 17 00:00:00 2001
		2	From: Micah Snyder <micasnyd@cisco.com>
		3	Date: Mon, 26 Aug 2024 14:00:51 -0400
		4	Subject: [PATCH] CVE-2024-20506: Disable following symlinks when opening log files
		5
		6	Upstream-Status: Backport from https://github.com/Cisco-Talos/clamav/commit/88efeda2a4cb93a69cf0994c02a8987f06fa204d
		7	CVE: CVE-2024-20506
		8
		9	Signed-off-by: Rohini Sangam <rsangam@mvista.com>
		10	---
		11	common/output.c \| 50 ++++++++++++++++++++++++++++++++++++++-----------
		12	1 file changed, 39 insertions(+), 11 deletions(-)
		13
		14	diff --git a/common/output.c b/common/output.c
		15	index 8d66f62a1..99aa711b9 100644
		16	--- a/common/output.c
		17	+++ b/common/output.c
		18	@@ -58,6 +58,12 @@
		19
		20	#include "output.h"
		21
		22	+// Define O_NOFOLLOW for systems that don't have it.
		23	+// Notably, Windows doesn't have O_NOFOLLOW.
		24	+#ifndef O_NOFOLLOW
		25	+#define O_NOFOLLOW 0
		26	+#endif
		27	+
		28	#ifdef CL_THREAD_SAFE
		29	#include <pthread.h>
		30	pthread_mutex_t logg_mutex = PTHREAD_MUTEX_INITIALIZER;
		31	@@ -323,7 +329,6 @@ int logg(const char *str, ...)
		32	char buffer[1025], abuffer = NULL, buff;
		33	time_t currtime;
		34	size_t len;
		35	- mode_t old_umask;
		36	#ifdef F_WRLCK
		37	struct flock fl;
		38	#endif
		39	@@ -357,18 +362,36 @@ int logg(const char *str, ...)
		40	logg_open();
		41
		42	if (!logg_fp && logg_file) {
		43	- old_umask = umask(0037);
		44	- if ((logg_fp = fopen(logg_file, "at")) == NULL) {
		45	- umask(old_umask);
		46	+ int logg_file_fd = -1;
		47	+
		48	+ logg_file_fd = open(logg_file, O_WRONLY \| O_CREAT \| O_APPEND \| O_NOFOLLOW, 0640);
		49	+ if (-1 == logg_file_fd) {
		50	+ char errbuf[128];
		51	+ cli_strerror(errno, errbuf, sizeof(errbuf));
		52	+ printf("ERROR: Failed to open log file %s: %s\n", logg_file, errbuf);
		53	+
		54	#ifdef CL_THREAD_SAFE
		55	pthread_mutex_unlock(&logg_mutex);
		56	#endif
		57	- printf("ERROR: Can't open %s in append mode (check permissions!).\n", logg_file);
		58	- if (len > sizeof(buffer))
		59	+ if (abuffer)
		60	free(abuffer);
		61	return -1;
		62	- } else
		63	- umask(old_umask);
		64	+ }
		65	+
		66	+ logg_fp = fdopen(logg_file_fd, "at");
		67	+ if (NULL == logg_fp) {
		68	+ char errbuf[128];
		69	+ cli_strerror(errno, errbuf, sizeof(errbuf));
		70	+ printf("ERROR: Failed to convert the open log file descriptor for %s to a FILE* handle: %s\n", logg_file, errbuf);
		71	+
		72	+ close(logg_file_fd);
		73	+#ifdef CL_THREAD_SAFE
		74	+ pthread_mutex_unlock(&logg_mutex);
		75	+#endif
		76	+ if (abuffer)
		77	+ free(abuffer);
		78	+ return -1;
		79	+ }
		80
		81	#ifdef F_WRLCK
		82	if (logg_lock) {
		83	@@ -381,11 +404,16 @@ int logg(const char *str, ...)
		84	else
		85	#endif
		86	{
		87	+ char errbuf[128];
		88	+ cli_strerror(errno, errbuf, sizeof(errbuf));
		89	+ printf("ERROR: Failed to lock the log file %s: %s\n", logg_file, errbuf);
		90	+
		91	#ifdef CL_THREAD_SAFE
		92	pthread_mutex_unlock(&logg_mutex);
		93	#endif
		94	- printf("ERROR: %s is locked by another process\n", logg_file);
		95	- if (len > sizeof(buffer))
		96	+ fclose(logg_fp);
		97	+ logg_fp = NULL;
		98	+ if (abuffer)
		99	free(abuffer);
		100	return -1;
		101	}
		102	@@ -462,7 +490,7 @@ int logg(const char *str, ...)
		103	pthread_mutex_unlock(&logg_mutex);
		104	#endif
		105
		106	- if (len > sizeof(buffer))
		107	+ if (abuffer)
		108	free(abuffer);
		109	return 0;
		110	}
		111	--
		112	2.35.7
		113