Bug 442360 - (CVE-2008-1100) CVE-2008-1100 clamav: Upack Processing Buffer Overflow Vulnerability
CVE-2008-1100 clamav: Upack Processing Buffer Overflow Vulnerability
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 442362 442363 442364
  Show dependency treegraph
Reported: 2008-04-14 11:23 EDT by Tomas Hoger
Modified: 2008-06-19 06:49 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-19 06:49:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-04-14 11:23:30 EDT
Quoting Secunia advisory:

Secunia Research has discovered a vulnerability in ClamAV, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "cli_scanpe()"
function in libclamav/pe.c. This can be exploited to cause a heap-based buffer
overflow via a specially crafted "Upack" executable.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in versions 0.92 and 0.92.1. Prior versions may
also be affected.

An updated version should be available shortly. The PE scanning module has been
remotely switched off after 10/03/2008.

Do not scan untrusted PE files.

Provided and/or discovered by:
Alin Rad Pop, Secunia Research.

Comment 1 Tomas Hoger 2008-04-14 11:24:57 EDT
Upstream 0.93 final is not yet available.
Comment 2 Robert Scheck 2008-04-14 11:30:39 EDT
Affects Fedora 7, 8, 9/Rawhide as well as EPEL 4 and 5.
Comment 4 Robert Scheck 2008-04-14 16:54:17 EDT
Build Result: 38757 - clamav on fedora-4-epel (38757-clamav-0.93-1.el4)
Build Result: 38756 - clamav on fedora-5-epel (38756-clamav-0.93-1.el5)
Comment 5 Enrico Scholz 2008-04-14 20:46:11 EDT
you know that clamav-0.93 contains API + configuration file changes and shipping
this version would violate EPEL guidelines?
Comment 6 Robert Scheck 2008-04-15 02:14:35 EDT
Well, just same like 0.8x -> 0.9x, but unfortunately not really avoidable. In
the past, clamav already had to ignore this part of the guideline (guideline !=
policy) some times, because upstream is just doing fscking release management.
Comment 7 Tomas Hoger 2008-04-15 04:24:34 EDT
Patch for this issue is now committed in upstream SVN:

svn diff -c 3788 http://svn.clamav.net/svn/clamav-devel/trunk/libclamav/pe.c

However, according to ChangeLog, 0.93 fixed couple more issues.  At least one
overflow and couple of crasher bugs...

Mon Apr 14 21:35:11 CEST 2008 (tk)
  * Check in 0.93 patches:
    - libclamunrar: bb#541 (RAR - Version required to extract - Evasion)
    - libclamav/spin.c: bb#876 (PeSpin Heap Overflow Vulnerability)
    - libclamav/pe.c: bb#878 (Upack Buffer Overflow Vulnerability)
    - libclamav/message.c: bb#881 (message.c: read beyond allocated region)
    - libclamav/unarj.c: bb#897 (ARJ: Sample from CERT-FI hangs clamav)
    - libclamunrar: bb#898 (RAR crashes on some fuzzed files from CERT-FI)


Seems all changes were committed in revision 3788 if you want to extract
individual patches.
Comment 8 Fedora Update System 2008-04-25 07:18:03 EDT
clamav-0.92.1-2.fc7 has been submitted as an update for Fedora 7
Comment 9 Fedora Update System 2008-04-29 16:56:16 EDT
clamav-0.92.1-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-04-29 17:01:24 EDT
clamav-0.92.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-05-13 11:17:39 EDT
clamav-0.93-1.fc9 has been submitted as an update for Fedora 9
Comment 12 Fedora Update System 2008-05-14 18:09:02 EDT
clamav-0.93-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.