Bug 240395 (CVE-2007-2650)
| Summary: | CVE-2007-2650: clamav OLE2 parser DoS | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ville Skyttä <ville.skytta> |
| Component: | clamav | Assignee: | Enrico Scholz <rh-bugzilla> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7 | CC: | bojan, fedora-security-list, james.teh |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 0.90.3-1.fc7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-07-19 16:45:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ville Skyttä
2007-05-17 07:37:52 UTC
This has been open for over a month now. Could someone please either: - explain why this doesn't affect FC6/F7 and close - upgrade to secure version(s) and close First of all it looks like all versions before 0.90.3 are affected. The upstream bug: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=466 Here's the commit that fixed it: http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=%2Ftrunk%2Flibclamav%2Fole2_extract.c&rev=3078&sc=1 I don't know if this applies ok to the old 0.88.x versions. All the other vendors I see have just shipped the 0.90.3 version. sorry; package with patches is ready and in CVS for several weeks. But my local FC6 build- and testsystem is broken and I could not test the changes. Then just push the changes without testing them, it's better than letting the security fixes stay unfixed. I happen to use a fc6 box here for email processing. Would you like me to test? Just rebuild the one from FC-6 cvs and confirm it works? Or do you have example files that I can run on it? What's the status of this? Do you need any help building stuff? If your FC6 installation is broken, could you at least do it for F7? I see 0.90.3 is in Rawhide, so it should not be difficult to push the build. If there is no way you can build this, could you at least ask one of the senior folks like Ville to expand the maintainers list for this package, so that others can do it? FC7 was built some weeks ago. Dunno, in which queue it is stuck... Did you go to https://admin.fedoraproject.org/updates/ to push it through? Reopening and adjusting release as there's no update for F7 yet. Searching for clamav in bodhi (URL in comment 8) produces no hits. If you're not up to date with how to push updates for F7+, see http://fedoraproject.org/wiki/PackageMaintainers/UpdatingPackageHowTo at comment #9: exactly... I do not have a clue how to use bodi; the "My updates" and to other lists are all empty and do not show http://koji.fedoraproject.org/koji/buildinfo?buildID=9624 When I go to New Updates and type in clamav, I get a list of packages, including clamav-0.90.3-1.fc7. Have you tried that? Ping... Just requested that this new package be pushed to stable updates of F7. clamav-0.90.3-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. Thanks, Bojan. Could someone familiar with clamav also check whether this update fixes the bunch of issues in bug 245219 as well? |