Bug 442360 (CVE-2008-1100)
Summary: | CVE-2008-1100 clamav: Upack Processing Buffer Overflow Vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | redhat-bugzilla, rh-bugzilla, robert.scheck, steve |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-06-19 10:49:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 442362, 442363, 442364 | ||
Bug Blocks: |
Description
Tomas Hoger
2008-04-14 15:23:30 UTC
Upstream 0.93 final is not yet available. Affects Fedora 7, 8, 9/Rawhide as well as EPEL 4 and 5. Build Result: 38757 - clamav on fedora-4-epel (38757-clamav-0.93-1.el4) Build Result: 38756 - clamav on fedora-5-epel (38756-clamav-0.93-1.el5) you know that clamav-0.93 contains API + configuration file changes and shipping this version would violate EPEL guidelines? Well, just same like 0.8x -> 0.9x, but unfortunately not really avoidable. In the past, clamav already had to ignore this part of the guideline (guideline != policy) some times, because upstream is just doing fscking release management. Patch for this issue is now committed in upstream SVN: svn diff -c 3788 http://svn.clamav.net/svn/clamav-devel/trunk/libclamav/pe.c However, according to ChangeLog, 0.93 fixed couple more issues. At least one overflow and couple of crasher bugs... Mon Apr 14 21:35:11 CEST 2008 (tk) ---------------------------------- * Check in 0.93 patches: - libclamunrar: bb#541 (RAR - Version required to extract - Evasion) - libclamav/spin.c: bb#876 (PeSpin Heap Overflow Vulnerability) - libclamav/pe.c: bb#878 (Upack Buffer Overflow Vulnerability) - libclamav/message.c: bb#881 (message.c: read beyond allocated region) - libclamav/unarj.c: bb#897 (ARJ: Sample from CERT-FI hangs clamav) - libclamunrar: bb#898 (RAR crashes on some fuzzed files from CERT-FI) http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog Seems all changes were committed in revision 3788 if you want to extract individual patches. clamav-0.92.1-2.fc7 has been submitted as an update for Fedora 7 clamav-0.92.1-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. clamav-0.92.1-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. clamav-0.93-1.fc9 has been submitted as an update for Fedora 9 clamav-0.93-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |