X-Spam-Check-By: sourceware.org
Message-Id: <announce.467423DB.80605@x-ray.at>
Date: Sat, 16 Jun 2007 19:54:35 +0200
From: Reini Urban <rurban AT x-ray DOT at>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.4) Gecko/20070509 SeaMonkey/1.1.2
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: [ANNOUNCEMENT] Updated: clamav-0.90.3-1
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Reply-To: cygwin AT cygwin DOT com
X-Mailer: Perl5 Mail::Internet v1.74
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

The cygwin clamav packages (Clam AntiVirus - GPL anti-virus toolkit) has
been updated to 0.90.3-1.

Several vulnerabilities were discovered in ClamAV by various
researchers:

* Victor Stinner (INL) discovered that the OLE2 parser may enter in
   an infinite loop (CVE-2007-2650).

* A boundary error was also reported by an anonymous researcher in
   the file unsp.c, which might lead to a buffer overflow
   (CVE-2007-3023).

* The file unrar.c contains a heap-based buffer overflow via a
   modified vm_codesize value from a RAR file (CVE-2007-3123).

* The RAR parsing engine can be bypassed via a RAR file with a header
   flag value of 10 (CVE-2007-3122).

* The cli_gentempstream() function from clamdscan creates temporary
   files with insecure permissions (CVE-2007-3024).

Impact
======

A remote attacker could send a specially crafted file to the scanner,
possibly triggering one of the vulnerabilities. The two buffer
overflows are reported to only cause Denial of Service. This would lead
to a Denial of Service by CPU consumption or a crash of the scanner.
The insecure temporary file creation vulnerability could be used by a
local user to access sensitive data.

Resolution
==========

All ClamAV users should upgrade to the latest version 0.90.3-1

References
==========

   [ 1 ] CVE-2007-2650
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2650
   [ 2 ] CVE-2007-3023
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3023
   [ 3 ] CVE-2007-3024
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3024
   [ 4 ] CVE-2007-3122
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3122
   [ 5 ] CVE-2007-3123
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3123

About
==========
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a commandline scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
the Clam AntiVirus package, which you can use in your own software.

See http://freshmeat.net/projects/clamav/

The clamav package comes in three parts:

clamav:      the executables and binaries
libclamav2:  the shared library since 0.90.1
libclamav-devel: development resources (headers, static- and import
            libraries)

Cygwin Package Changes:
fixed mbox.c
fixed BUILD_CLAMD in cygwin configure logic (again)
re-applied broken DIRENT_MISSING_D_INO patch

========================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.

                *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain DOT com AT cygwin DOT com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available
starting at this URL.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/