Bug 426210 - (CVE-2007-6335) CVE-2007-6335 clamav: MEW PE File Integer Overflow Vulnerability (was CVE-2007-5759)
CVE-2007-6335 clamav: MEW PE File Integer Overflow Vulnerability (was CVE-200...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=gentoo,reported=20071219,publi...
: Security
: 426215 (view as bug list)
Depends On: 426211 426212 426213
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-19 06:48 EST by Tomas Hoger
Modified: 2016-03-04 07:29 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-22 14:25:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-12-19 06:48:13 EST
iDefense has reported a ClamAV security issue:

DESCRIPTION

Remote exploitation of an integer overflow vulnerability in Clam AntiVirus'
ClamAV, as included in various vendors' operating system distributions, allows
attackers to execute arbitrary code with the privileges of the affected
process.

The vulnerability exists within the code responsible for parsing PE files
packed with the MEW packer. During unpacking, two untrusted values are taken
directly from the file without being validated. These values are later used in
an arithmetic operation to calculate the size used to allocate a heap buffer.
This calculation can overflow, resulting in a buffer of insufficient size being
allocated. This later leads to arbitrary areas of memory being overwritten with
attacker supplied data. 

WORKAROUND

Disabling the scanning of PE files will prevent exploitation. If using
clamscan, this can be done by running clamscan with the '--no-pe' option. If
using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.

VENDOR RESPONSE

The ClamAV team has addressed this vulnerability within version 0.92.

Reference:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634
Comment 1 Tomas Hoger 2007-12-19 07:00:36 EST
PE scanning seems to be enabled by default.  As clamav is commonly used for
virus scanning incoming mails, it's the obvious remote exploitation vector.
Comment 2 Tomas Hoger 2007-12-19 10:45:52 EST
*** Bug 426215 has been marked as a duplicate of this bug. ***
Comment 3 Tomas Hoger 2007-12-20 03:52:52 EST
Debian has released security advisory addressing this issue.  Their advisory
uses CVE-2007-6335 to identify this issue.  According to Mitre, original CVE id
CVE-2007-5759 will be rejected as duplicate of CVE-2007-6335.  iDefense advisory
was already updated.

From DSA-1435-1:

# CVE-2007-6335
It was discovered that an integer overflow in the decompression code for MEW
archives may lead to the execution of arbitrary code.

http://www.debian.org/security/2007/dsa-1435
Comment 4 Red Hat Product Security 2008-01-22 14:25:03 EST
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0170
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0115


Note You need to log in before you can comment on or make changes to this bug.