-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2008.1094 -- [Debian]
             New clamav packages fix potential code execution
                              5 December 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              clamav
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
Impact:               Execute Arbitrary Code/Commands
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-5314 CVE-2008-5050

Ref:                  AA-2008.0245
                      AA-2008.0230

Original Bulletin:    http://www.debian.org/security/2008/dsa-1680

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1680-1                  security@debian.org
http://www.debian.org/security/                           Florian Weimer
December 04, 2008                     http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : clamav
Vulnerability  : buffer overflow, stack consumption
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2008-5050 CVE-2008-5314
Debian Bug     : 505134 507624

Moritz Jodeit discovered that ClamAV, an anti-virus solution, suffers
from an off-by-one-error in its VBA project file processing, leading to
a heap-based buffer overflow and potentially arbitrary code execution
(CVE-2008-5050).

Ilja van Sprundel discovered that ClamAV contains a denial of service
condition in its JPEG file processing because it does not limit the
recursion depth when processing JPEG thumbnails (CVE-2008-5314).

For the stable distribution (etch), these problems have been fixed in
version 0.90.1dfsg-4etch16.

For the unstable distribution (sid), these problems have been fixed in
version 0.94.dfsg.2-1.

The testing distribution (lenny) will be fixed soon.

We recommend that you upgrade your clamav packages.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg.orig.tar.gz
    Size/MD5 checksum: 11610428 6dc18602b0aa653924d47316f9411e49
  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16.dsc
    Size/MD5 checksum:      908 ebc60299a69aab41dfdb77e667e2857c
  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16.diff.gz
    Size/MD5 checksum:   216130 5ae1da1b6351a13b5c385919960ca9b7

Architecture independent packages:

  http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.90.1dfsg-4etch16_all.deb
    Size/MD5 checksum:   201408 63e3898029276baf914fafa347747996
  http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.90.1dfsg-4etch16_all.deb
    Size/MD5 checksum:  1003722 5d316f2ea821b441971b0e05e58e481d
  http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.90.1dfsg-4etch16_all.deb
    Size/MD5 checksum:   158564 189a55ca25bdf9e03a0ae3b9f4a565e9

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_alpha.deb
    Size/MD5 checksum:   373052 b59a6787be52e776d3b6238bac4e7fff
  http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_alpha.deb
    Size/MD5 checksum:   182812 289769066d1883af6c455255725c1c81
  http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_alpha.deb
    Size/MD5 checksum:  9305338 e2d5290afa1484ffc3ee6abfc99a7e5f
  http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_alpha.deb
    Size/MD5 checksum:   465410 ad42ee7f6355353575f05de54d67fa2b
  http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_alpha.deb
    Size/MD5 checksum:   598714 6f862583fe87d09e3c3a3c288c75a787
  http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_alpha.deb
    Size/MD5 checksum:   180954 7122cfc98ec69b5b012d9794dc3f44cd
  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_alpha.deb
    Size/MD5 checksum:   862390 df3cb4e88d62cbc641d1c48c14d5c551

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_amd64.deb
    Size/MD5 checksum:   856672 bc8b467814eb5b76b6a165ee7abbbb7d
  http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_amd64.deb
    Size/MD5 checksum:   177968 c2aa51b550584931f3f1b7b1f6df6508
  http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_amd64.deb
    Size/MD5 checksum:  9302094 cd9f623cfb4f23d1777cf21e830d74b2
  http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_amd64.deb
    Size/MD5 checksum:   355706 e0db968192096ac9215ab676b5750c7d
  http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_amd64.deb
    Size/MD5 checksum:   179200 99ba1e041488e76a7d6e457ed51536f0
  http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_amd64.deb
    Size/MD5 checksum:   341684 6207bf783731c636eaa192d696466a88
  http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_amd64.deb
    Size/MD5 checksum:   594608 5e87c000b193a1d25e03580496b91fc2

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_hppa.deb
    Size/MD5 checksum:   178252 a2dadc8689fd265609265d65f9ba5cf7
  http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_hppa.deb
    Size/MD5 checksum:   178500 e26b37f74b35c6128654305c2d8f68eb
  http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_hppa.deb
    Size/MD5 checksum:   373174 c8815805d7a9cf555a1611b7314cbe93
  http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_hppa.deb
    Size/MD5 checksum:   573090 724ad2d96fcd7b80e7a1c8c090fb9b04
  http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_hppa.deb
    Size/MD5 checksum:  9303992 c463499f12992880b420a015b1bd5d9a
  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_hppa.deb
    Size/MD5 checksum:   857738 1ebd69a77c29a7fc69f02b27b2dad3e6
  http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_hppa.deb
    Size/MD5 checksum:   396534 d889914674f27507e6ca759d78d22995

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_i386.deb
    Size/MD5 checksum:   338494 19d7a1f5ba21bb2ea6ef65477559f94e
  http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_i386.deb
    Size/MD5 checksum:  9299810 7128061759b66acac727697fe89b64f1
  http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_i386.deb
    Size/MD5 checksum:   176040 be3736249dbc666ba1319b1c90846f6c
  http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_i386.deb
    Size/MD5 checksum:   561386 c9d821e32d55ef4a6a2ff6c53dfe5144
  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_i386.deb
    Size/MD5 checksum:   855774 4d455d6519fb958ca80ccd64cf002733
  http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_i386.deb
    Size/MD5 checksum:   173110 19bb9a435ec67992ec1f64117bbe4ad5
  http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_i386.deb
    Size/MD5 checksum:   340104 febee614772fbd5bf27f05f121651a20

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_ia64.deb
    Size/MD5 checksum:   879178 e54e7a00d6997145abf9d0fd29125122
  http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_ia64.deb
    Size/MD5 checksum:   611950 4688c0588b2c0289f7d1d1661afab75f
  http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_ia64.deb
    Size/MD5 checksum:  9316052 a7621f1da45dc360701bb220375f75fa
  http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_ia64.deb
    Size/MD5 checksum:   202432 97d25289436bab9657006c5a3111a46b
  http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_ia64.deb
    Size/MD5 checksum:   192686 f749efd1adaa69f02cf333b59c1f8fe0
  http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_ia64.deb
    Size/MD5 checksum:   466144 808f94a059ba40b6fb07d9455d09f6aa
  http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_ia64.deb
    Size/MD5 checksum:   428106 1be6f7d9cdc26e37f306cf1b17d465ac

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_mips.deb
    Size/MD5 checksum:   179864 87927a28c832d9591e72b57949c1dc6e
  http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_mips.deb
    Size/MD5 checksum:   600956 8e9a4325b6fca6a1233fa9fd0ca0555c
  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_mips.deb
    Size/MD5 checksum:   855252 f6e1334c499c80f63aed3d29e44ae1bf
  http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_mips.deb
    Size/MD5 checksum:   398728 e6cd9d013cc52be551eba54b2720b983
  http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_mips.deb
    Size/MD5 checksum:   175734 a9282395129b667acb155dbcc2a0b93c
  http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_mips.deb
    Size/MD5 checksum:   343690 1c91c1d31700a461afc165781ae2f090
  http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_mips.deb
    Size/MD5 checksum:  9301736 4bc34b6d01389eb060b31952c2b1b27b

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_powerpc.deb
    Size/MD5 checksum:  9303100 e98394d3111c5ff1c612fb3e92a0f8b9
  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_powerpc.deb
    Size/MD5 checksum:   857964 eda098ba91e370a95e9259b651fb684b
  http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_powerpc.deb
    Size/MD5 checksum:   177148 8b6840ca3ddf149b2dfa0c20112b63fd
  http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_powerpc.deb
    Size/MD5 checksum:   182514 e26515d0a92e205bca5d7e4438c51589
  http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_powerpc.deb
    Size/MD5 checksum:   350804 ab54eeb5d022ae08535dd90c9b5df157
  http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_powerpc.deb
    Size/MD5 checksum:   372856 999347aba8ba2a6481c33d0656aeaad3
  http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_powerpc.deb
    Size/MD5 checksum:   592144 305ef279c3840eb9fb3df233ed258333

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_s390.deb
    Size/MD5 checksum:   177908 d4a05f341abba5d5de91e328d841518d
  http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_s390.deb
    Size/MD5 checksum:   177060 4762fb05719e9ce0cb1ed3cad9c57960
  http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_s390.deb
    Size/MD5 checksum:  9301758 1bd5836e2d661378dfa9f4cf9f41091a
  http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_s390.deb
    Size/MD5 checksum:   370338 fa23bc8ee8d3f0d85b8b03d933398edb
  http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_s390.deb
    Size/MD5 checksum:   582564 a6ee552708c64b6d9dd0b891cc5fb797
  http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_s390.deb
    Size/MD5 checksum:   361764 06046ba7e4a989592a2ccca18a6f04a1
  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_s390.deb
    Size/MD5 checksum:   855966 fab4913131e36fb3ee0619e516d60a41

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_sparc.deb
    Size/MD5 checksum:   349588 6dfb12eb76d35c2d91ae4e6ff1d516e1
  http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_sparc.deb
    Size/MD5 checksum:  9298888 ec04c3d9ce44da80eeca6795d695d061
  http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_sparc.deb
    Size/MD5 checksum:   357982 cfade6599939f4f83038e5334eaa3a2d
  http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_sparc.deb
    Size/MD5 checksum:   542512 ffedc011073a2e0b2028bc700361e949
  http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_sparc.deb
    Size/MD5 checksum:   852672 197bb1d08bea1ed5826bba231c54e99f
  http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_sparc.deb
    Size/MD5 checksum:   174792 c7136015088cbdc0f3d74769b4c46efb
  http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_sparc.deb
    Size/MD5 checksum:   172304 fc4153b27a708f0906ee7c041b67f81b


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJN5PaAAoJEL97/wQC1SS+UDIH/1Afas/ow3ybjzlwatl2Jx2P
p5yeVwblQCcIDjSj05m9pbPi2KTFpz+ng+/jVRVE1TEcUZngC7aKh4pzV5WJMdSp
gonrUF5APIMJpojRDTY07WNV41dxdCRlhpgNRaM62moHWpP8BtbQf9Wodl4vafZp
S3OoToXaXs2VBGR6V0aJPvRU8StJI0FyUiboHYb9TLKP2k94RufydmZ3NaZaPluC
sDkQ3gfbFDWiRqvcBBqWVBfvbkYHMy5U5/rpWd8uWHfiP9VlXJXd7Wk3cXkgOTgX
aPPb/3qnb96GIN26ZQI+Y1seFfmaHk3roTcSPDk6Mb5bZjEtF7/4TXsBumWv2RQ=
=3Dhc
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSTiQbyh9+71yA2DNAQL1+gQAidII26Ed0N9QihkkRuaCL8IpPJ4VwFCU
IFUsRKzvxiKQEQGtHMcxWdCLF96QN4fsvpCTbB5NKBHgzBWLvIt1rAYd5yMxVq1Z
u4zWM65cv0Usyl72hesfm7dYTi4ARqNgM1oODWfnpSkJLOaOIYD5Z45qRR5pQivs
vIvIlhieles=
=yiSX
-----END PGP SIGNATURE-----