Bug 426210 (CVE-2007-6335) - CVE-2007-6335 clamav: MEW PE File Integer Overflow Vulnerability (was CVE-2007-5759)
Summary: CVE-2007-6335 clamav: MEW PE File Integer Overflow Vulnerability (was CVE-200...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-6335
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
: 426215 (view as bug list)
Depends On: 426211 426212 426213
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-19 11:48 UTC by Tomas Hoger
Modified: 2019-09-29 12:22 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-22 19:25:03 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2007-12-19 11:48:13 UTC
iDefense has reported a ClamAV security issue:

DESCRIPTION

Remote exploitation of an integer overflow vulnerability in Clam AntiVirus'
ClamAV, as included in various vendors' operating system distributions, allows
attackers to execute arbitrary code with the privileges of the affected
process.

The vulnerability exists within the code responsible for parsing PE files
packed with the MEW packer. During unpacking, two untrusted values are taken
directly from the file without being validated. These values are later used in
an arithmetic operation to calculate the size used to allocate a heap buffer.
This calculation can overflow, resulting in a buffer of insufficient size being
allocated. This later leads to arbitrary areas of memory being overwritten with
attacker supplied data. 

WORKAROUND

Disabling the scanning of PE files will prevent exploitation. If using
clamscan, this can be done by running clamscan with the '--no-pe' option. If
using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.

VENDOR RESPONSE

The ClamAV team has addressed this vulnerability within version 0.92.

Reference:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634

Comment 1 Tomas Hoger 2007-12-19 12:00:36 UTC
PE scanning seems to be enabled by default.  As clamav is commonly used for
virus scanning incoming mails, it's the obvious remote exploitation vector.

Comment 2 Tomas Hoger 2007-12-19 15:45:52 UTC
*** Bug 426215 has been marked as a duplicate of this bug. ***

Comment 3 Tomas Hoger 2007-12-20 08:52:52 UTC
Debian has released security advisory addressing this issue.  Their advisory
uses CVE-2007-6335 to identify this issue.  According to Mitre, original CVE id
CVE-2007-5759 will be rejected as duplicate of CVE-2007-6335.  iDefense advisory
was already updated.

From DSA-1435-1:

# CVE-2007-6335
It was discovered that an integer overflow in the decompression code for MEW
archives may lead to the execution of arbitrary code.

http://www.debian.org/security/2007/dsa-1435


Comment 4 Red Hat Product Security 2008-01-22 19:25:03 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0170
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0115




Note You need to log in before you can comment on or make changes to this bug.