Bug 240395 (CVE-2007-2650) - CVE-2007-2650: clamav OLE2 parser DoS
Summary: CVE-2007-2650: clamav OLE2 parser DoS
Alias: CVE-2007-2650
Product: Fedora
Classification: Fedora
Component: clamav
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Enrico Scholz
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-05-17 07:37 UTC by Ville Skyttä
Modified: 2007-11-30 22:12 UTC (History)
3 users (show)

Fixed In Version: 0.90.3-1.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-07-19 16:45:36 UTC
Type: ---

Attachments (Terms of Use)

Description Ville Skyttä 2007-05-17 07:37:52 UTC

"The OLE2 parser in Clam AntiVirus (ClamAV) allows remote attackers to cause a
denial of service (resource consumption) via an OLE2 file with (1) a large
property size or (2) a loop in the FAT file block chain that triggers an
infinite loop, as demonstrated via a crafted DOC file."

Affected versions unknown.

Comment 1 Bojan Smojver 2007-06-20 01:58:47 UTC
This has been open for over a month now. Could someone please either:

- explain why this doesn't affect FC6/F7 and close
- upgrade to secure version(s) and close

Comment 2 Kevin Fenzi 2007-06-21 02:47:29 UTC
First of all it looks like all versions before 0.90.3 are affected. 

The upstream bug:

Here's the commit that fixed it: 

I don't know if this applies ok to the old 0.88.x versions. 
All the other vendors I see have just shipped the 0.90.3 version. 

Comment 3 Enrico Scholz 2007-06-21 06:54:14 UTC
sorry; package with patches is ready and in CVS for several weeks. But my local
FC6 build- and testsystem is broken and I could not test the changes.

Comment 4 Kevin Kofler 2007-06-21 21:54:32 UTC
Then just push the changes without testing them, it's better than letting the 
security fixes stay unfixed.

Comment 5 Kevin Fenzi 2007-06-22 16:22:06 UTC
I happen to use a fc6 box here for email processing. Would you like me to test? 
Just rebuild the one from FC-6 cvs and confirm it works? Or do you have example
files that I can run on it?

Comment 6 Bojan Smojver 2007-07-12 00:16:32 UTC
What's the status of this? Do you need any help building stuff?

If your FC6 installation is broken, could you at least do it for F7? I see
0.90.3 is in Rawhide, so it should not be difficult to push the build.

If there is no way you can build this, could you at least ask one of the senior
folks like Ville to expand the maintainers list for this package, so that others
can do it?

Comment 7 Enrico Scholz 2007-07-12 06:29:01 UTC
FC7 was built some weeks ago. Dunno, in which queue it is stuck...

Comment 8 Bojan Smojver 2007-07-12 07:37:49 UTC
Did you go to https://admin.fedoraproject.org/updates/ to push it through?

Comment 9 Ville Skyttä 2007-07-12 19:11:13 UTC
Reopening and adjusting release as there's no update for F7 yet.  Searching for
clamav in bodhi (URL in comment 8) produces no hits.

If you're not up to date with how to push updates for F7+, see

Comment 10 Enrico Scholz 2007-07-12 19:40:14 UTC
at comment #9: exactly... I do not have a clue how to use bodi; the "My updates"
and to other lists are all empty and do not show

Comment 11 Bojan Smojver 2007-07-12 22:24:07 UTC
When I go to New Updates and type in clamav, I get a list of packages, including
clamav-0.90.3-1.fc7. Have you tried that?

Comment 12 Bojan Smojver 2007-07-16 21:35:11 UTC

Comment 13 Bojan Smojver 2007-07-18 21:26:28 UTC
Just requested that this new package be pushed to stable updates of F7.

Comment 14 Fedora Update System 2007-07-19 16:45:31 UTC
clamav-0.90.3-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Ville Skyttä 2007-07-19 18:03:26 UTC
Thanks, Bojan.  Could someone familiar with clamav also check whether this
update fixes the bunch of issues in bug 245219 as well?

Note You need to log in before you can comment on or make changes to this bug.