Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6595 to the following vulnerability: ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled. References: http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded http://www.securityfocus.com/bid/27064
Ping on this -- Any chance this will get addressed soon?
http://bugs.gentoo.org/show_bug.cgi?id=204340
(1) fixed here: http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=%2Ftrunk%2Flibclamav%2Fothers.c&rev=3490&sc=0
(2) remains unfixed upstream
Upstream bug report for this issue: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=752 Moreover, upstream does not consider vector (2) as security issue: http://lurker.clamav.net/message/20080102.195717.b4bbdef2.en.html Sigtool is primarily a tool for signature database developers and by no means it was designed to be run with SUID/SGID bits set. There is no practical exploitation of this "vulnerability" and it should not be considered a security issue.
Issue (1) - more important of the two - was fixed in upstream version 0.92.1. Isuse (2) is not considered as security issue by upstream, as documented in comment #6. It can only be exploited if signature author uses sigtool in world / group writable directory. Moreover, there are probably one or two other similar issues in sigtool - at least race during *.info file creation seems possible. Given the upstream statement, I'm closing this as currentrelease - clamav-0.92.1.