oss-sec mailing list archives
Re: CVE request: ClamAV vulnerabilities
From: Sergey Popov <pinkbyte () gentoo org>
Date: Mon, 09 Dec 2013 12:50:07 +0400
29.11.2013 21:58, Kurt Seifried пишет:
On 11/29/2013 02:20 AM, Sergey Popov wrote:It's a bit late, but i would like to request CVE for two vulnerabilities, that present in ClamAV before 0.97.7[1]:1) A double-free error exists within the "unrar_extract_next_prepare()" function (libclamunrar_iface/unrar_iface.c) when parsing a RAR file.2) An unspecified error within the "wwunpack()" function (libclamav/wwunpack.c) when unpacking a WWPack file can be exploited to corrupt heap memory.[1] - https://secunia.com/advisories/52647/The blog entry http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html contains no mention of security flaws, Also the ChangeLog: https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog Doesn't contain any mention of the above flaws. Can you provide links to source code/bug reports or something so I can verify this? Thanks.
What's about: "ClamAV 0.97.7 addresses several reported potential security bugs. Thanks to Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for finding and reporting these issues."[1] I know that there are no details provided here, but secunia advisory also points on 'unspecified vulnerabilities'. [1] - quote from http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html -- Best regards, Sergey Popov Gentoo developer Gentoo Desktop Effects project lead Gentoo Qt project lead Gentoo Proxy maintainers project lead
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: ClamAV vulnerabilities Sergey Popov (Nov 29)
- Re: CVE request: ClamAV vulnerabilities Kurt Seifried (Nov 29)
- Re: CVE request: ClamAV vulnerabilities George Theall (Nov 29)
- Re: CVE request: ClamAV vulnerabilities Kurt Seifried (Dec 06)
- Re: CVE request: ClamAV vulnerabilities Sergey Popov (Dec 09)
- Re: CVE request: ClamAV vulnerabilities cve-assign (Dec 09)
- Re: CVE request: ClamAV vulnerabilities cve-assign (Dec 11)
- Re: CVE request: ClamAV vulnerabilities cve-assign (Dec 12)
- Re: CVE request: ClamAV vulnerabilities George Theall (Nov 29)
- Re: CVE request: ClamAV vulnerabilities Kurt Seifried (Nov 29)