Red Hat Bugzilla – Bug 442360
CVE-2008-1100 clamav: Upack Processing Buffer Overflow Vulnerability
Last modified: 2008-06-19 06:49:09 EDT
Quoting Secunia advisory:
Secunia Research has discovered a vulnerability in ClamAV, which can be
exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error within the "cli_scanpe()"
function in libclamav/pe.c. This can be exploited to cause a heap-based buffer
overflow via a specially crafted "Upack" executable.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in versions 0.92 and 0.92.1. Prior versions may
also be affected.
An updated version should be available shortly. The PE scanning module has been
remotely switched off after 10/03/2008.
Do not scan untrusted PE files.
Provided and/or discovered by:
Alin Rad Pop, Secunia Research.
Upstream 0.93 final is not yet available.
Affects Fedora 7, 8, 9/Rawhide as well as EPEL 4 and 5.
Build Result: 38757 - clamav on fedora-4-epel (38757-clamav-0.93-1.el4)
Build Result: 38756 - clamav on fedora-5-epel (38756-clamav-0.93-1.el5)
you know that clamav-0.93 contains API + configuration file changes and shipping
this version would violate EPEL guidelines?
Well, just same like 0.8x -> 0.9x, but unfortunately not really avoidable. In
the past, clamav already had to ignore this part of the guideline (guideline !=
policy) some times, because upstream is just doing fscking release management.
Patch for this issue is now committed in upstream SVN:
svn diff -c 3788 http://svn.clamav.net/svn/clamav-devel/trunk/libclamav/pe.c
However, according to ChangeLog, 0.93 fixed couple more issues. At least one
overflow and couple of crasher bugs...
Mon Apr 14 21:35:11 CEST 2008 (tk)
* Check in 0.93 patches:
- libclamunrar: bb#541 (RAR - Version required to extract - Evasion)
- libclamav/spin.c: bb#876 (PeSpin Heap Overflow Vulnerability)
- libclamav/pe.c: bb#878 (Upack Buffer Overflow Vulnerability)
- libclamav/message.c: bb#881 (message.c: read beyond allocated region)
- libclamav/unarj.c: bb#897 (ARJ: Sample from CERT-FI hangs clamav)
- libclamunrar: bb#898 (RAR crashes on some fuzzed files from CERT-FI)
Seems all changes were committed in revision 3788 if you want to extract
clamav-0.92.1-2.fc7 has been submitted as an update for Fedora 7
clamav-0.92.1-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
clamav-0.92.1-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
clamav-0.93-1.fc9 has been submitted as an update for Fedora 9
clamav-0.93-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: