Red Hat Bugzilla – Bug 426210
CVE-2007-6335 clamav: MEW PE File Integer Overflow Vulnerability (was CVE-2007-5759)
Last modified: 2016-03-04 07:29:29 EST
iDefense has reported a ClamAV security issue:
Remote exploitation of an integer overflow vulnerability in Clam AntiVirus'
ClamAV, as included in various vendors' operating system distributions, allows
attackers to execute arbitrary code with the privileges of the affected
The vulnerability exists within the code responsible for parsing PE files
packed with the MEW packer. During unpacking, two untrusted values are taken
directly from the file without being validated. These values are later used in
an arithmetic operation to calculate the size used to allocate a heap buffer.
This calculation can overflow, resulting in a buffer of insufficient size being
allocated. This later leads to arbitrary areas of memory being overwritten with
attacker supplied data.
Disabling the scanning of PE files will prevent exploitation. If using
clamscan, this can be done by running clamscan with the '--no-pe' option. If
using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.
The ClamAV team has addressed this vulnerability within version 0.92.
PE scanning seems to be enabled by default. As clamav is commonly used for
virus scanning incoming mails, it's the obvious remote exploitation vector.
*** Bug 426215 has been marked as a duplicate of this bug. ***
Debian has released security advisory addressing this issue. Their advisory
uses CVE-2007-6335 to identify this issue. According to Mitre, original CVE id
CVE-2007-5759 will be rejected as duplicate of CVE-2007-6335. iDefense advisory
was already updated.
It was discovered that an integer overflow in the decompression code for MEW
archives may lead to the execution of arbitrary code.
This issue was addressed in: