Clam AntiVirus CAB, FSG, and OLE Bugs Let Remote Users Deny Service or Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1015154
|
|
SecurityTracker URL: http://securitytracker.com/id?1015154
|
|
CVE Reference: CVE-2005-3239
, CVE-2005-3303
(Links to External Site)
|
Date: Nov 4 2005
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 0.80 - prior to 0.87.1
|
Description: Several vulnerabilities were reported in Clam AntiVirus. A remote user can cause arbitrary code to be executed on the target system. A remote user can also cause denial of service conditions.
The tnef_attachment() function in 'tnef.c' does not properly validate user-supplied input. A remote user can create a specially
crafted CAB file that, when processed, will cause the system to enter an infinite loop.
The cabd_find() function in 'mspack/cabd.c'
in the libmspack library also lets a remote user cause the system to enter an infinite loop.
The vendor was notified of these
vulnerabilities on October 7, 2005.
The software ('libclamav/fsg.c') does not properly unpack executable files compressed with
FSG v1.33 [CVE-2005-3303]. A remote user can create a compressed file that, when processed by the target user, will trigger a heap
overflow and execute arbitrary code.
The vendor was notified on October 24, 2005.
The OLE2 unpacker in clamd does not properly
process DOC files with an invalid property tree [CVE-2005-3239]. A specially crafted file can triger an infinite recursion in the
ole2_walk_property_tree function, causing denial of service conditions. The flaw resides in 'libclamav/ole2_extract.c'. Systems
with default settings are not affected.
The vendor credits iDEFENSE and Zero Day Initiative with reporting some of these vulnerabilities.
|
Impact: A remote user can cause the system to execute arbitrary code.
A remote user can cause the system to enter an infinite loop.
|
Solution: The vendor has issued a fixed version (0.87.1), available at:
http://sourceforge.net/project/showfiles.php?group_id=86638
|
Vendor URL: www.clamav.net/ (Links to External Site)
|
Cause: Boundary error, Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 4 Nov 2005 08:40:04 -0500
Subject: Clam AntiVirus vulnerabilities
|
http://sourceforge.net/project/shownotes.php?release_id=368319
V 0.87.1
* Bugfixes:
- libclamav/petite.c: fix boundary checks (acab)
- libclamav/mbox.c: scan attachments that have no filename (njh)
- libclamav/fsg.c: fix buffer size calculation in unfsg_133
Reported by Zero Day Initiative (ZDI-CAN-004)
- libclamav/tnef.c: fix possible infinite loop
Reported by iDEFENSE (IDEF1169).
- libclamav/mspack/cabd.c: fix possible infinite loop in cabd_find (tk)
Reported by iDEFENSE (IDEF1180).
- clamd/others.c: fix compilation error on Cobalt Qube 1 (tk)
- clamd: properly handle ReadTimeout in SESSION (tk)
Bug reported by Kamil Kaczkowski <kamil*kamil.eisp.pl>
- libclamav/others.c,h: Add generic bitset implementation (trog)
- libclamav/ole2_extract.c: Make sure the property tree doesn't loop (trog)
Fixes CAN-2005-3239. Installations with default settings were not affected
by this bug.
|
|
