Red Hat Bugzilla – Bug 427285
CVE-2007-6595 clamav insecure /tmp file use
Last modified: 2008-04-25 04:50:30 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6595 to the following vulnerability:
ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled.
Ping on this -- Any chance this will get addressed soon?
(1) fixed here:
(2) remains unfixed upstream
Upstream bug report for this issue:
Moreover, upstream does not consider vector (2) as security issue:
Sigtool is primarily a tool for signature database developers and by no
means it was designed to be run with SUID/SGID bits set. There is no
practical exploitation of this "vulnerability" and it should not be
considered a security issue.
Issue (1) - more important of the two - was fixed in upstream version 0.92.1.
Isuse (2) is not considered as security issue by upstream, as documented in
comment #6. It can only be exploited if signature author uses sigtool in world
/ group writable directory. Moreover, there are probably one or two other
similar issues in sigtool - at least race during *.info file creation seems
Given the upstream statement, I'm closing this as currentrelease - clamav-0.92.1.