Re: CVE id request: Clamav

[Török Edwin <edwin () clamav net>]

Eren Türkay wrote:
> On 17 Jun 2008 Tue 10:38:13 Eren Türkay wrote:
> >   * libclamav/mbox.c, shared/network.c: prevent uninitialized use of
> > hostent structure (bb #1003).
> >
> > The bug entry says that after zip file's arriving at clamd, it suddenly
> > dies and nothing can be retrieved thereafter. Clamav developer also
> > comfirms that this happens when MailFollowURLs is enabled.
>
> Hello,
>
> I talked to Edwin on #clamav channel. He says this is a rare-case and he 
> thinks that it's a vulnerability rather than a security flaw.

I said that its a bug rather than a security flaw. However you can
assign it a CVE id if you want to.
We didn't treat it as security, because it occurs in a non-default
config (MailFollowURLs), it is not externally controllable, and it
occurs rarely (so far we got 2 reports of this bug).

> Edwin, could you please inform us about important vulnerabilities/security 
> flaws fixed in 0.93.1?

I recommend to use 0.93.1, however if you want to backport parts of
it, these are the most important (from the ChangeLog).
The daily.cfg and dconf changes are important for turning off
vulnerable modules, the rest is self explanatory.

Wed Jun  4 14:18:27 CEST 2008 (tk)
----------------------------------
  * libclamav/petite.c: fix possible invalid memory access (bb#1000)
                        Reported by Damian Put

Sat May  3 14:46:41 CEST 2008 (tk)
----------------------------------
* libclamav/readdb.h: read daily.cfg stored inside .cld containers
(bb#1006)

Thu Apr 24 17:44:38 MSD 2008 (tk)
---------------------------------
  * libclamav: scan for embedded PEs inside OLE2 files (bb#914)

Fri Apr 18 13:55:41 EEST 2008 (edwin)
-------------------------------------
  * libclamav/dconf.h: fix flag code assignment (bb #952)

Best regards,
--Edwin