Bug 426210 (CVE-2007-6335)

Summary: CVE-2007-6335 clamav: MEW PE File Integer Overflow Vulnerability (was CVE-2007-5759)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bojan, redhat-bugzilla, rh-bugzilla, steve
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6335
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-22 19:25:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 426211, 426212, 426213    
Bug Blocks:    

Description Tomas Hoger 2007-12-19 11:48:13 UTC 
iDefense has reported a ClamAV security issue:

DESCRIPTION

Remote exploitation of an integer overflow vulnerability in Clam AntiVirus'
ClamAV, as included in various vendors' operating system distributions, allows
attackers to execute arbitrary code with the privileges of the affected
process.

The vulnerability exists within the code responsible for parsing PE files
packed with the MEW packer. During unpacking, two untrusted values are taken
directly from the file without being validated. These values are later used in
an arithmetic operation to calculate the size used to allocate a heap buffer.
This calculation can overflow, resulting in a buffer of insufficient size being
allocated. This later leads to arbitrary areas of memory being overwritten with
attacker supplied data. 

WORKAROUND

Disabling the scanning of PE files will prevent exploitation. If using
clamscan, this can be done by running clamscan with the '--no-pe' option. If
using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.

VENDOR RESPONSE

The ClamAV team has addressed this vulnerability within version 0.92.

Reference:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634
Comment 1 Tomas Hoger 2007-12-19 12:00:36 UTC 
PE scanning seems to be enabled by default.  As clamav is commonly used for
virus scanning incoming mails, it's the obvious remote exploitation vector.
Comment 2 Tomas Hoger 2007-12-19 15:45:52 UTC 
*** Bug 426215 has been marked as a duplicate of this bug. ***
Comment 3 Tomas Hoger 2007-12-20 08:52:52 UTC 
Debian has released security advisory addressing this issue.  Their advisory
uses CVE-2007-6335 to identify this issue.  According to Mitre, original CVE id
CVE-2007-5759 will be rejected as duplicate of CVE-2007-6335.  iDefense advisory
was already updated.

From DSA-1435-1:

# CVE-2007-6335
It was discovered that an integer overflow in the decompression code for MEW
archives may lead to the execution of arbitrary code.

http://www.debian.org/security/2007/dsa-1435
Comment 4 Red Hat Product Security 2008-01-22 19:25:03 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0170
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0115