iDefense has reported a ClamAV security issue: DESCRIPTION Remote exploitation of an integer overflow vulnerability in Clam AntiVirus' ClamAV, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process. The vulnerability exists within the code responsible for parsing PE files packed with the MEW packer. During unpacking, two untrusted values are taken directly from the file without being validated. These values are later used in an arithmetic operation to calculate the size used to allocate a heap buffer. This calculation can overflow, resulting in a buffer of insufficient size being allocated. This later leads to arbitrary areas of memory being overwritten with attacker supplied data. WORKAROUND Disabling the scanning of PE files will prevent exploitation. If using clamscan, this can be done by running clamscan with the '--no-pe' option. If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'. VENDOR RESPONSE The ClamAV team has addressed this vulnerability within version 0.92. Reference: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634
PE scanning seems to be enabled by default. As clamav is commonly used for virus scanning incoming mails, it's the obvious remote exploitation vector.
*** Bug 426215 has been marked as a duplicate of this bug. ***
Debian has released security advisory addressing this issue. Their advisory uses CVE-2007-6335 to identify this issue. According to Mitre, original CVE id CVE-2007-5759 will be rejected as duplicate of CVE-2007-6335. iDefense advisory was already updated. From DSA-1435-1: # CVE-2007-6335 It was discovered that an integer overflow in the decompression code for MEW archives may lead to the execution of arbitrary code. http://www.debian.org/security/2007/dsa-1435
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0170 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0115