Mail Archives: cygwin/2007/06/16/13:59:57
The cygwin clamav packages (Clam AntiVirus - GPL anti-virus toolkit) has
been updated to 0.90.3-1.
Several vulnerabilities were discovered in ClamAV by various
researchers:
* Victor Stinner (INL) discovered that the OLE2 parser may enter in
an infinite loop (CVE-2007-2650).
* A boundary error was also reported by an anonymous researcher in
the file unsp.c, which might lead to a buffer overflow
(CVE-2007-3023).
* The file unrar.c contains a heap-based buffer overflow via a
modified vm_codesize value from a RAR file (CVE-2007-3123).
* The RAR parsing engine can be bypassed via a RAR file with a header
flag value of 10 (CVE-2007-3122).
* The cli_gentempstream() function from clamdscan creates temporary
files with insecure permissions (CVE-2007-3024).
Impact
======
A remote attacker could send a specially crafted file to the scanner,
possibly triggering one of the vulnerabilities. The two buffer
overflows are reported to only cause Denial of Service. This would lead
to a Denial of Service by CPU consumption or a crash of the scanner.
The insecure temporary file creation vulnerability could be used by a
local user to access sensitive data.
Resolution
==========
All ClamAV users should upgrade to the latest version 0.90.3-1
References
==========
[ 1 ] CVE-2007-2650
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2650
[ 2 ] CVE-2007-3023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3023
[ 3 ] CVE-2007-3024
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3024
[ 4 ] CVE-2007-3122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3122
[ 5 ] CVE-2007-3123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3123
About
==========
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a commandline scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
the Clam AntiVirus package, which you can use in your own software.
See http://freshmeat.net/projects/clamav/
The clamav package comes in three parts:
clamav: the executables and binaries
libclamav2: the shared library since 0.90.1
libclamav-devel: development resources (headers, static- and import
libraries)
Cygwin Package Changes:
fixed mbox.c
fixed BUILD_CLAMD in cygwin configure logic (again)
re-applied broken DIRENT_MISSING_D_INO patch
========================================================================
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page. This downloads setup.exe to your
system. Then, run setup and answer all of the questions.
*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there. It will be in the format:
cygwin-announce-unsubscribe-you=yourdomain DOT com AT cygwin DOT com
If you need more information on unsubscribing, start reading here:
http://sources.redhat.com/lists.html#unsubscribe-simple
Please read *all* of the information on unsubscribing that is available
starting at this URL.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -