Red Hat Bugzilla – Bug 240395
CVE-2007-2650: clamav OLE2 parser DoS
Last modified: 2007-11-30 17:12:04 EST
"The OLE2 parser in Clam AntiVirus (ClamAV) allows remote attackers to cause a
denial of service (resource consumption) via an OLE2 file with (1) a large
property size or (2) a loop in the FAT file block chain that triggers an
infinite loop, as demonstrated via a crafted DOC file."
Affected versions unknown.
This has been open for over a month now. Could someone please either:
- explain why this doesn't affect FC6/F7 and close
- upgrade to secure version(s) and close
First of all it looks like all versions before 0.90.3 are affected.
The upstream bug:
Here's the commit that fixed it:
I don't know if this applies ok to the old 0.88.x versions.
All the other vendors I see have just shipped the 0.90.3 version.
sorry; package with patches is ready and in CVS for several weeks. But my local
FC6 build- and testsystem is broken and I could not test the changes.
Then just push the changes without testing them, it's better than letting the
security fixes stay unfixed.
I happen to use a fc6 box here for email processing. Would you like me to test?
Just rebuild the one from FC-6 cvs and confirm it works? Or do you have example
files that I can run on it?
What's the status of this? Do you need any help building stuff?
If your FC6 installation is broken, could you at least do it for F7? I see
0.90.3 is in Rawhide, so it should not be difficult to push the build.
If there is no way you can build this, could you at least ask one of the senior
folks like Ville to expand the maintainers list for this package, so that others
can do it?
FC7 was built some weeks ago. Dunno, in which queue it is stuck...
Did you go to https://admin.fedoraproject.org/updates/ to push it through?
Reopening and adjusting release as there's no update for F7 yet. Searching for
clamav in bodhi (URL in comment 8) produces no hits.
If you're not up to date with how to push updates for F7+, see
at comment #9: exactly... I do not have a clue how to use bodi; the "My updates"
and to other lists are all empty and do not show
When I go to New Updates and type in clamav, I get a list of packages, including
clamav-0.90.3-1.fc7. Have you tried that?
Just requested that this new package be pushed to stable updates of F7.
clamav-0.90.3-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Thanks, Bojan. Could someone familiar with clamav also check whether this
update fixes the bunch of issues in bug 245219 as well?