Updated: clamav-0.90.3-1

Reini Urban rurban@x-ray.at
Sat Jun 16 17:59:00 GMT 2007


The cygwin clamav packages (Clam AntiVirus - GPL anti-virus toolkit) has
been updated to 0.90.3-1.

Several vulnerabilities were discovered in ClamAV by various
researchers:

* Victor Stinner (INL) discovered that the OLE2 parser may enter in
   an infinite loop (CVE-2007-2650).

* A boundary error was also reported by an anonymous researcher in
   the file unsp.c, which might lead to a buffer overflow
   (CVE-2007-3023).

* The file unrar.c contains a heap-based buffer overflow via a
   modified vm_codesize value from a RAR file (CVE-2007-3123).

* The RAR parsing engine can be bypassed via a RAR file with a header
   flag value of 10 (CVE-2007-3122).

* The cli_gentempstream() function from clamdscan creates temporary
   files with insecure permissions (CVE-2007-3024).

Impact
======

A remote attacker could send a specially crafted file to the scanner,
possibly triggering one of the vulnerabilities. The two buffer
overflows are reported to only cause Denial of Service. This would lead
to a Denial of Service by CPU consumption or a crash of the scanner.
The insecure temporary file creation vulnerability could be used by a
local user to access sensitive data.

Resolution
==========

All ClamAV users should upgrade to the latest version 0.90.3-1

References
==========

   [ 1 ] CVE-2007-2650
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2650
   [ 2 ] CVE-2007-3023
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3023
   [ 3 ] CVE-2007-3024
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3024
   [ 4 ] CVE-2007-3122
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3122
   [ 5 ] CVE-2007-3123
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3123

About
==========
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a commandline scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
the Clam AntiVirus package, which you can use in your own software.

See http://freshmeat.net/projects/clamav/

The clamav package comes in three parts:

clamav:      the executables and binaries
libclamav2:  the shared library since 0.90.1
libclamav-devel: development resources (headers, static- and import
            libraries)

Cygwin Package Changes:
fixed mbox.c
fixed BUILD_CLAMD in cygwin configure logic (again)
re-applied broken DIRENT_MISSING_D_INO patch

========================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.

                *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available
starting at this URL.



More information about the Cygwin-announce mailing list