From owner-freebsd-security@FreeBSD.ORG Tue Apr 17 06:55:45 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1D43416A401 for ; Tue, 17 Apr 2007 06:55:45 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C6D9913C480 for ; Tue, 17 Apr 2007 06:55:44 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Message-ID:MIME-Version:Content-Type:Content-Disposition:Sender:X-Spam-Status:Subject; b=DygAVSqKaEzYJcy15QFY0BD1GHErZNkILkG9PQ7tZwgBc5+IbQ/UjDODmR32ZXPfAzh1B9a99fo1Txe1A6euU+H0AX5GrdcTy1UHTVZP/eNRz0yGsmMV2B26pQIeqqHdN3f+f+lnQ3gdwrf1EMqRZzSRF8oUhtfvB8spb3oiiKk=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HdhbG-000DrC-DA for freebsd-security@freebsd.org; Tue, 17 Apr 2007 10:55:38 +0400 Date: Tue, 17 Apr 2007 10:55:33 +0400 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: <20070417065533.GL26348@codelabs.ru> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="oYAXToTM8kn9Ra/9" Content-Disposition: inline Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Subject: VuXML entry for CVE-2007-1870: ClamAV CAB File Unstore Buffer Overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2007 06:55:45 -0000 --oYAXToTM8kn9Ra/9 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Good day. Spotted the CVE-2007-1870: the clamav 0.90.2 is already in the ports, but no sign of the issue in the VuXML. The entry is attached. One thing that is a bit strange is that the ChangeLog for the ClamAV (http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog) says about CVE-2007-1997 as the libclamav/cab.c log entry, but I think they are messed the numbers -- there is no such CVE, at least I failed to find it via cve.mitre.org: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1997 But the CVE-2007-1870 is a candidate and has no relevant information, so I am not 100% sure about the correct number. -- Eygene --oYAXToTM8kn9Ra/9 Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="vuln.xml" clamav -- CAB File Unstore Buffer Overflow Vulnerability clamav 0.90rc30.90.2

iDefense Security Advisory 04.16.07:

Remote exploitation of a buffer overflow vulnerability in Clam AntiVirus' ClamAV allows attackers to execute arbitrary code with the privileges of the affected process.

Successful exploitation of this vulnerability results in code execution with the privileges of the process using libclamav.

In the case of the clamd program, this will result in executing code with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.

CVE-2007-1870 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=513 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog 2007-04-14
--oYAXToTM8kn9Ra/9-- From owner-freebsd-security@FreeBSD.ORG Thu Apr 19 14:37:28 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2E95016A401 for ; Thu, 19 Apr 2007 14:37:28 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.freebsd.org (Postfix) with ESMTP id A4A0E13C483 for ; Thu, 19 Apr 2007 14:37:27 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (ovsjiv@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id l3JE4iht064267; Thu, 19 Apr 2007 16:04:50 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id l3JE4i6U064266; Thu, 19 Apr 2007 16:04:44 +0200 (CEST) (envelope-from olli) Date: Thu, 19 Apr 2007 16:04:44 +0200 (CEST) Message-Id: <200704191404.l3JE4i6U064266@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, simon@FreeBSD.ORG, thomas@bsdunix.ch In-Reply-To: <20070331054103.GA982@zaphod.nitro.dk> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.2-20060425 ("Shillay") (UNIX) (FreeBSD/4.11-STABLE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 19 Apr 2007 16:04:50 +0200 (CEST) Cc: Subject: Re: Integer underflow in the "file" program before 4.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, simon@FreeBSD.ORG, thomas@bsdunix.ch List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Apr 2007 14:37:28 -0000 Simon L. Nielsen wrote: > Thomas Vogt wrote: > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 > > "Integer underflow in the file_printf function in the "file" program > > before 4.20 allows user-assisted attackers to execute arbitrary code via > > a file that triggers a heap-based buffer overflow." > > > > Is FreeBSD 5.x/6.x affected too? It looks the System has file 4.12. The > > port has 4.20. > > Hey, > > While I haven't confirmed FreeBSD is vulnerable, I assume that is the > case. In any case, we (The FreeBSD Security Team) are working on this > isuse. Any news on this? It's been more than a month ... Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead." -- RFC 1925