oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE id request - clamav

From: Tomas Hoger <thoger () redhat com>
Date: Tue, 15 Apr 2008 10:37:04 +0200
Hi!

Clamav 0.93 was released yesterday.  According to the ChangeLog, couple
of security-related issue were fixed (some references in between):

http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog

Mon Apr 14 21:35:11 CEST 2008 (tk)
----------------------------------
  * Check in 0.93 patches:
    - libclamunrar: bb#541 (RAR - Version required to extract - Evasion)
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=541

    - libclamav/spin.c: bb#876 (PeSpin Heap Overflow Vulnerability)
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=876
(This may already have CVE id, as it seems to be some (not yet
published?) iDefense advisory - IDEF2957)

    - libclamav/pe.c: bb#878 (Upack Buffer Overflow Vulnerability)
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=878
http://secunia.com/advisories/29000/
CVE-2008-1100

    - libclamav/message.c: bb#881 (message.c: read beyond allocated
region)
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=881

    - libclamav/unarj.c: bb#897 (ARJ: Sample from CERT-FI hangs clamav)
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=897
bug mentions CVE-2008-1387

    - libclamunrar: bb#898 (RAR crashes on some fuzzed files from
CERT-FI)
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=898


And even some fixes not mentioned in the changelog:

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=877
IDEF3001

-- 
Tomas Hoger / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: