Bug 427286 (CVE-2007-6596)

Summary: CVE-2007-6596 clamav does not recognize Base64-UUEncoded files
Product: [Other] Security Response Reporter: Lubomir Kundrak <lkundrak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: rh-bugzilla, steve
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6596
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-25 08:44:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lubomir Kundrak 2008-01-02 19:46:45 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6596 to the following vulnerability:

ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows remote attackers to bypass the scanner via a Base64-UUEncoded file.

References:

http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded
http://www.securityfocus.com/bid/27064
Comment 2 Lubomir Kundrak 2008-01-02 19:58:28 UTC 
Some do not consider this a security flaw and consider it a flaw of mail clients
which open files encoded in a nonstandard way. [1] It makes some sense, but it
definitely makes more sense to protect all possible clients therefore we do
consider it a problem.

I guess it is nontrivial to add and maintain a base64 decoder in our package --
is upstream going to implement this?

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458532
Comment 3 Tomas Hoger 2008-04-25 08:44:30 UTC 
Upstream statement:

http://lurker.clamav.net/message/20080102.195717.b4bbdef2.en.html

  This is not really a security bug but rather a lack of feature. Any (massive)
  attempt to bypass the uuencode decoder can be stopped with regular signatures
  thanks to the fact that ClamAV additionally scans all files in raw mode.

Upstream considers this as RFE as well.  I'm closing this as UPSTREAM.  If this
will be implemented upstream, we'll have the "fix" after next re-base, which
happens frequently in Fedora and EPEL.