Updated: clamav-0.91.2-1 SECURITY

Reini Urban rurban@x-ray.at
Fri Sep 21 22:18:00 GMT 2007

The cygwin clamav packages (Clam AntiVirus - GPL anti-virus toolkit)
has been updated to 0.91.2-1.
This is a SECURITY update: Gentoo Linux Security Advisory GLSA 200709-14

Vulnerabilities have been discovered in ClamAV allowing remote
execution of arbitrary code and Denial of Service attacks.


Nikolaos Rangos discovered a vulnerability in ClamAV which exists
because the recipient address extracted from email messages is not
properly sanitized before being used in a call to "popen()" when
executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference
errors exist within the "cli_scanrtf()" function in libclamav/rtf.c and
Stefanos Stamatis discovered a NULL-pointer dereference vulnerability
within the "cli_html_normalise()" function in libclamav/htmlnorm.c


The unsanitized recipient address can be exploited to execute arbitrary
code with the privileges of the clamav-milter process by sending an
email with a specially crafted recipient address to the affected
system. Also, the NULL-pointer dereference errors can be exploited to
crash ClamAV. Successful exploitation of the latter vulnerability
requires that clamav-milter is started with the "black hole" mode
activated, which is not enabled by default.


   [ 1 ] CVE-2007-4510
   [ 2 ] CVE-2007-4560

Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a commandline scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
the Clam AntiVirus package, which you can use in your own software.

See http://freshmeat.net/projects/clamav/
ChangeLog: http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog

The clamav package comes in three parts:

clamav:      the executables and binaries
libclamav2:  the shared library since 0.90.1
libclamav-devel: development resources (headers, static- and import

Cygwin Package Changes:
* none


To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.


If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:


If you need more information on unsubscribing, start reading here:


Please read *all* of the information on unsubscribing that is available
starting at this URL.

More information about the Cygwin-announce mailing list