Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0429 -- [Win][UNIX/Linux] ClamAV: Multiple Denials of Service 18 June 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Clam AV versions prior to 0.90.3 Clam AV versions prior to 0.91rc1 Publisher: Gentoo Operating System: Gentoo UNIX variants (UNIX, Linux, OSX) Windows Impact: Read-only Data Access Denial of Service Reduced Security Access: Remote/Unauthenticated CVE Names: CVE-2007-3123 CVE-2007-3122 CVE-2007-3024 CVE-2007-3023 CVE-2007-2650 Original Bulletin: http://www.gentoo.org/security/en/glsa/glsa-200706-05.xml Comment: This advisory references vulnerabilities in products which run on platforms other than Gentoo. It is recommended that administrators running ClamAV check for an updated version of the software for their operating system. Please note that while CVE-2007-3123 and CVE-2007-3125 result in a Denial of Service, according to the National Vulnerability Database (http://nvd.nist.gov/) the other vulnerabilties listed in this advisory have a variety of impacts: CVE-2007-3023: Unknown impact, but remotely exploitable. CVE-2007-3024: Read-only data access (local). CVE-2007-3122: Bypass scanning of RAR files (remote). - --------------------------BEGIN INCLUDED TEXT-------------------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200706-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ClamAV: Multiple Denials of Service Date: June 15, 2007 Bugs: #178082 ID: 200706-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== ClamAV contains several vulnerabilities leading to a Denial of Service. Background ========== ClamAV is a GPL virus scanner. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-antivirus/clamav < 0.90.3 >= 0.90.3 Description =========== Several vulnerabilities were discovered in ClamAV by various researchers: * Victor Stinner (INL) discovered that the OLE2 parser may enter in an infinite loop (CVE-2007-2650). * A boundary error was also reported by an anonymous researcher in the file unsp.c, which might lead to a buffer overflow (CVE-2007-3023). * The file unrar.c contains a heap-based buffer overflow via a modified vm_codesize value from a RAR file (CVE-2007-3123). * The RAR parsing engine can be bypassed via a RAR file with a header flag value of 10 (CVE-2007-3122). * The cli_gentempstream() function from clamdscan creates temporary files with insecure permissions (CVE-2007-3024). Impact ====== A remote attacker could send a specially crafted file to the scanner, possibly triggering one of the vulnerabilities. The two buffer overflows are reported to only cause Denial of Service. This would lead to a Denial of Service by CPU consumption or a crash of the scanner. The insecure temporary file creation vulnerability could be used by a local user to access sensitive data. Workaround ========== There is no known workaround at this time. Resolution ========== All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.90.3" References ========== [ 1 ] CVE-2007-2650 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2650 [ 2 ] CVE-2007-3023 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3023 [ 3 ] CVE-2007-3024 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3024 [ 4 ] CVE-2007-3122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3122 [ 5 ] CVE-2007-3123 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3123 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200706-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRnX+kih9+71yA2DNAQK2tQP8DGDHZ8rK68h+zvJXCqMP9DxNLTaWPcLu /G4xOo1dTf/pvt8Ev1iMLCrgWp//jVEQBZ9zHrpP0XUm3Ufod/6G8rycKYtxmFZh KcQ68y4E6duaYEkcQh2wIK5oyATQg+rlY+rjj28CtdCTmxwqYhM0vBmosy+JG95Y q4EcdKPXMyc= =0tmk -----END PGP SIGNATURE-----