Quoting Secunia advisory: Description: Secunia Research has discovered a vulnerability in ClamAV, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "cli_scanpe()" function in libclamav/pe.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted "Upack" executable. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in versions 0.92 and 0.92.1. Prior versions may also be affected. Solution: An updated version should be available shortly. The PE scanning module has been remotely switched off after 10/03/2008. Do not scan untrusted PE files. Provided and/or discovered by: Alin Rad Pop, Secunia Research. References: http://secunia.com/advisories/29000/ http://secunia.com/secunia_research/2008-11/advisory/
Upstream 0.93 final is not yet available.
Affects Fedora 7, 8, 9/Rawhide as well as EPEL 4 and 5.
Build Result: 38757 - clamav on fedora-4-epel (38757-clamav-0.93-1.el4) Build Result: 38756 - clamav on fedora-5-epel (38756-clamav-0.93-1.el5)
you know that clamav-0.93 contains API + configuration file changes and shipping this version would violate EPEL guidelines?
Well, just same like 0.8x -> 0.9x, but unfortunately not really avoidable. In the past, clamav already had to ignore this part of the guideline (guideline != policy) some times, because upstream is just doing fscking release management.
Patch for this issue is now committed in upstream SVN: svn diff -c 3788 http://svn.clamav.net/svn/clamav-devel/trunk/libclamav/pe.c However, according to ChangeLog, 0.93 fixed couple more issues. At least one overflow and couple of crasher bugs... Mon Apr 14 21:35:11 CEST 2008 (tk) ---------------------------------- * Check in 0.93 patches: - libclamunrar: bb#541 (RAR - Version required to extract - Evasion) - libclamav/spin.c: bb#876 (PeSpin Heap Overflow Vulnerability) - libclamav/pe.c: bb#878 (Upack Buffer Overflow Vulnerability) - libclamav/message.c: bb#881 (message.c: read beyond allocated region) - libclamav/unarj.c: bb#897 (ARJ: Sample from CERT-FI hangs clamav) - libclamunrar: bb#898 (RAR crashes on some fuzzed files from CERT-FI) http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog Seems all changes were committed in revision 3788 if you want to extract individual patches.
clamav-0.92.1-2.fc7 has been submitted as an update for Fedora 7
clamav-0.92.1-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
clamav-0.92.1-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
clamav-0.93-1.fc9 has been submitted as an update for Fedora 9
clamav-0.93-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3358 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3420 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3900