Bug 164262 - ClamAV: Multiple remote buffer overflows in versions <= 0.86.1
ClamAV: Multiple remote buffer overflows in versions <= 0.86.1
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: clamav (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Enrico Scholz
Fedora Extras Quality Assurance
http://seclists.org/lists/fulldisclos...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-26 09:31 EDT by Sven Wahl
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-28 04:49:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sven Wahl 2005-07-26 09:31:42 EDT
+++ This bug was initially created as a clone of Bug #164253 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.10) Gecko/20050720
Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
From: <list_at_rem0te.com>
Date: Mon, 25 Jul 2005 13:29:28 +0000

Date
July 25, 2005

Vulnerability
ClamAV is the most widely used GPL antivirus library today. It provides file
format support for virus analysis. During analysis ClamAV Antivirus Library is
vulnerable to buffer overflows allowing attackers complete control of the
system. These vulnerabilities can be exploited remotely without user interaction
or authentication through common protocols such as SMTP, SMB, HTTP, FTP, etc.

Specifically, ClamAV is responsible for parsing multiple file formats. At least
4 of its file format processors contain remote security bugs. Specifically,
during the processing of TNEF, CHM, & FSG formats an attacker is able to trigger
several integer overflows that allow attackers to overwrite heap data to obtain
complete control of the system. These vulnerabilities can be reached by default
and triggered without user interaction by sending an e-mail containing crafted data.

Impact
Successful exploitation of ClamAV protected systems allows attackers
unauthorized control of data and related privileges. It also provides leverage
for further network compromise. ClamAV implementations are likely vulnerable in
their default configuration.

Affected Products
ClamAV � 0.86.1 (current) and prior

There are numerous implementations of ClamAV listed on their site which are
likely vulnerable. One party of note is Apple. Apple includes ClamAV by default
in Mac OS X Server. In addition, ClamAV has been ported to windows and a variety
of other platforms by third parties who�s implementations are also likely
vulnerable. Refer to vendor for specifics.

Credit
These vulnerabilities were discovered and researched by Neel Mehta & Alex Wheeler.

Contact
security_at_rem0te.com

Details
http://www.rem0te.com/public/images/clamav.pdf


Version-Release number of selected component (if applicable):
<= 0.86.1

How reproducible:
Always

Steps to Reproduce:
Install affected product version (ClamAV 0.86.1 or prior)

Additional info:
Comment 1 Sven Wahl 2005-07-28 04:49:07 EDT
Resolved with the release of:

clamav-0.86.2-2.fc4.i386.rpm
clamav-data-0.86.2-2.fc4.i386.rpm
clamav-devel-0.86.2-2.fc4.i386.rpm
clamav-lib-0.86.2-2.fc4.i386.rpm
clamav-milter-0.86.2-2.fc4.i386.rpm
clamav-server-0.86.2-2.fc4.i386.rpm
clamav-update-0.86.2-2.fc4.i386.rpm

clamav-0.86.2-2.fc4.ppc.rpm
clamav-data-0.86.2-2.fc4.ppc.rpm
clamav-devel-0.86.2-2.fc4.ppc.rpm
clamav-lib-0.86.2-2.fc4.ppc.rpm
clamav-milter-0.86.2-2.fc4.ppc.rpm
clamav-server-0.86.2-2.fc4.ppc.rpm
clamav-update-0.86.2-2.fc4.ppc.rpm

clamav-0.86.2-2.fc4.x86_64.rpm
clamav-data-0.86.2-2.fc4.x86_64.rpm
clamav-devel-0.86.2-2.fc4.x86_64.rpm
clamav-lib-0.86.2-2.fc4.x86_64.rpm
clamav-milter-0.86.2-2.fc4.x86_64.rpm
clamav-server-0.86.2-2.fc4.x86_64.rpm
clamav-update-0.86.2-2.fc4.x86_64.rpm


Thanks a lot for your efforts!

Note You need to log in before you can comment on or make changes to this bug.