Bug 12371 – Possible instance of CVE-2019-12900 in libclamav/nsis/bzlib.c

Bug 12371 - Possible instance of CVE-2019-12900 in libclamav/nsis/bzlib.c


Summary:	Possible instance of CVE-2019-12900 in libclamav/nsis/bzlib.c

Status:	RESOLVED FIXED

Product:	ClamAV
Classification:	ClamAV
Component:	libclamav
Version:	CVS
Hardware:	All All

Importance:	P3 security
Target Milestone:	0.101.0
Assigned To:	Mickey Sola

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-08-07 07:33 EDT by martin
Modified:	2021-11-02 13:46 EDT (History)
CC List:	3 users (show)

See Also:
QA Contact:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description martin 2019-08-07 07:33:20 EDT

I've not got a test case, but it looks like CVE-2019-12900 affects BZ2_decompress in libclamav/nsis/bzlib.c.

Possible fixes in 

https://sourceware.org/git/?p=bzip2.git;a=commitdiff;h=7ed62bfb46e87a9e878712603469440e6882b184

or

https://sourceware.org/git/?p=bzip2.git;a=commitdiff;h=b07b105d1b66e32760095e3602261738443b9e13

Comment 1 Micah Snyder 2019-08-07 12:40:36 EDT

Hi Martin,

Thanks for reporting the issue.  We'll look into it right away.

Regards,
Micah

Comment 2 Mickey Sola 2019-08-15 17:50:22 EDT

This has been patched up: https://github.com/Cisco-Talos/clamav-devel/commit/0249be88182ffeac9a3677736a1be2021c6c1b05

Comment 3 Sebastian A. Siewior 2019-08-27 07:52:56 EDT

bzip2 is already a build dependency. Is there a reason why the nsis part not using system's libbz2 but has its own in-tree copy?

Comment 4 Micah Snyder 2019-08-27 16:54:57 EDT

We were wondering the same thing. Probably not a good reason. The NSIS code is also 3rd party (no longer maintained afaik).  Perhaps we should take it on and change it to use libbz2.

Comment 5 Ahmed Sayeed 2021-11-02 13:46:04 EDT

#0  compute_frame_id (fi=0x10007c50040) at /home/simark/src/wt/good/gdb/frame.c:549
#1  0x000001000324ddd8 http://the-hunters.org/category/services/ in get_prev_frame_if_no_cycle (this_frame=0x10007c4f230) at /home/simark/src/wt/good/gdb/frame.c:1927 http://www-look-4.com/health/covid-and-tech/
#2  0x000001000324f9f8 in get_prev_frame_always_1 (this_frame=0x10007c4f230) at /home/simark/src/wt/good/gdb/frame.c:2108 https://komiya-dental.com/property/google-android/
#3  0x000001000324fa38 in get_prev_frame_always (this_frame=0x10007c4f230) at /home/simark/src/wt/good/gdb/frame.c:2124 http://www.iu-bloomington.com/shopping/hatchback-cars/
#4  0x00000100032511fc in get_prev_frame (this_frame=0x10007c4f230) at /home/simark/src/wt/good/gdb/frame.c:2376 https://waytowhatsnext.com/sports/asian-sports/
#5  0x00000100042972c0 in backtrace_command_1 (fp_opts=..., bt_opts=..., http://www.wearelondonmade.com/technology/van-technology/  count_exp=0x0, from_tty=1) at /home/simark/src/wt/good/gdb/stack.c:2055
#6  0x0000010004297918 in backtrace_command (arg=0x0, from_tty=1) at /home/simark/src/wt/good/gdb/stack.c:2183 http://www.jopspeech.com/travel/windows-11/
#7  0x0000010002a4a538 in do_const_cfunc (c=0x10007c93390, args=0x0, from_tty=1) at /home/simark/src/wt/good/gdb/cli/cli-decode.c:107 http://joerg.li/health/covid-and-tech/
#8  0x0000010002a56ea4 in cmd_func (cmd=0x10007c93390, args=0x0, from_tty=1) at /home/simark/src/wt/good/gdb/cli/cli-decode.c:1952 http://connstr.net/services/mobile-games/
#9  0x00000100045e32e4 in execute_command (p=0x10007ab9c52 "", from_tty=1) at /home/simark/src/wt/good/gdb/top.c:653 http://embermanchester.uk/services/whatsapp-number-change/
#10 0x00000100031b21c0 in command_handler (command=0x10007ab9c50 "bt") at /home/simark/src/wt/good/gdb/event-top.c:587 http://www.slipstone.co.uk/property/hp-of-cars/
#11 0x00000100031b2d4c in command_line_handler (rl=...) at /home/simark/src/wt/good/gdb/event-top.c:772 http://www.logoarts.co.uk/travel/london/
#12 0x00000100031b06e4 in gdb_rl_callback_handler (rl=0x10007cc5e30 "bt") at /home/simark/src/wt/good/gdb/event-top.c:218 http://fishingnewsletters.co.uk/category/crypto/
#13 0x0000010004ae6410 in rl_callback_read_char () at http://www.acpirateradio.co.uk/health/transportation-security/ /home/simark/src/wt/good/readline/readline/callback.c:281
#14 0x00000100031b02b0 in gdb_rl_callback_read_char_wrapper_noexcept () at http://www.go-mk-websites.co.uk/category/crypto/ /home/simark/src/wt/good/gdb/event-top.c:176 http://www.compilatori.com/technology/download-videos/
#15 0x00000100031b03d4 in gdb_rl_callback_read_char_wrapper (client_data=0x10007ab99c0) at /home/simark/src/wt/good/gdb/event-top.c:193 http://www.mconstantine.co.uk/category/crypto/
#16 0x00000100031b1a4c in stdin_event_handler (error=0, client_data=0x10007ab99c0) at /home/simark/src/wt/good/gdb/event-top.c:515 https://www.webb-dev.co.uk/services/navona-trains/
#17 0x00000100031aa778 in handle_file_event (file_ptr=0x10007d6aa20, ready_mask=1) at /home/simark/src/wt/good/gdb/event-loop.c:731
#18 0x00000100031ab3e0 in gdb_wait_for_event (block=1) at