From owner-freebsd-security@FreeBSD.ORG Tue Apr 17 06:55:45 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1D43416A401 for ; Tue, 17 Apr 2007 06:55:45 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C6D9913C480 for ; Tue, 17 Apr 2007 06:55:44 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Message-ID:MIME-Version:Content-Type:Content-Disposition:Sender:X-Spam-Status:Subject; b=DygAVSqKaEzYJcy15QFY0BD1GHErZNkILkG9PQ7tZwgBc5+IbQ/UjDODmR32ZXPfAzh1B9a99fo1Txe1A6euU+H0AX5GrdcTy1UHTVZP/eNRz0yGsmMV2B26pQIeqqHdN3f+f+lnQ3gdwrf1EMqRZzSRF8oUhtfvB8spb3oiiKk=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HdhbG-000DrC-DA for freebsd-security@freebsd.org; Tue, 17 Apr 2007 10:55:38 +0400 Date: Tue, 17 Apr 2007 10:55:33 +0400 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: <20070417065533.GL26348@codelabs.ru> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="oYAXToTM8kn9Ra/9" Content-Disposition: inline Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Subject: VuXML entry for CVE-2007-1870: ClamAV CAB File Unstore Buffer Overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2007 06:55:45 -0000 --oYAXToTM8kn9Ra/9 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Good day. Spotted the CVE-2007-1870: the clamav 0.90.2 is already in the ports, but no sign of the issue in the VuXML. The entry is attached. One thing that is a bit strange is that the ChangeLog for the ClamAV (http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog) says about CVE-2007-1997 as the libclamav/cab.c log entry, but I think they are messed the numbers -- there is no such CVE, at least I failed to find it via cve.mitre.org: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1997 But the CVE-2007-1870 is a candidate and has no relevant information, so I am not 100% sure about the correct number. -- Eygene --oYAXToTM8kn9Ra/9 Content-Type: text/plain; charset=koi8-r Content-Disposition: attachment; filename="vuln.xml" clamav -- CAB File Unstore Buffer Overflow Vulnerability clamav 0.90rc30.90.2

iDefense Security Advisory 04.16.07:

Remote exploitation of a buffer overflow vulnerability in Clam AntiVirus' ClamAV allows attackers to execute arbitrary code with the privileges of the affected process.

Successful exploitation of this vulnerability results in code execution with the privileges of the process using libclamav.

In the case of the clamd program, this will result in executing code with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.

 CVE-2007-1870 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=513 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog 2007-04-14 --oYAXToTM8kn9Ra/9--