Re: [SECURITY] [DSA 1024-1] New clamav packages fix several vulnerabilities

["Ulf Harnhammar" <metaur () operamail com>]

> Debian Security Advisory DSA 1024-1 security () debian org
> Package : clamav

> CVE-2006-1615 
>     Format string vulnerabilities in the logging code have been discovered, 
>     which might lead to the execution of arbitrary code.

Is this about the strange looking syslog calls in shared/output.c? I have found them
too (boast boast), and I believe that they are no vulnerabilities at all, as the
offending data will always pass through this construct:

while((pt = strchr(vbuff, '%')))
    *pt = '_';

(For the non-programmers out there, it changes all instances of "%" in vbuff to "_".)

// Ulf Harnhammar



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/