Updated: clamav-0.91.2-1 SECURITY
Fri Sep 21 22:18:00 GMT 2007
The cygwin clamav packages (Clam AntiVirus - GPL anti-virus toolkit)
has been updated to 0.91.2-1.
This is a SECURITY update: Gentoo Linux Security Advisory GLSA 200709-14
Vulnerabilities have been discovered in ClamAV allowing remote
execution of arbitrary code and Denial of Service attacks.
Nikolaos Rangos discovered a vulnerability in ClamAV which exists
because the recipient address extracted from email messages is not
properly sanitized before being used in a call to "popen()" when
executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference
errors exist within the "cli_scanrtf()" function in libclamav/rtf.c and
Stefanos Stamatis discovered a NULL-pointer dereference vulnerability
within the "cli_html_normalise()" function in libclamav/htmlnorm.c
The unsanitized recipient address can be exploited to execute arbitrary
code with the privileges of the clamav-milter process by sending an
email with a specially crafted recipient address to the affected
system. Also, the NULL-pointer dereference errors can be exploited to
crash ClamAV. Successful exploitation of the latter vulnerability
requires that clamav-milter is started with the "black hole" mode
activated, which is not enabled by default.
[ 1 ] CVE-2007-4510
[ 2 ] CVE-2007-4560
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a commandline scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
the Clam AntiVirus package, which you can use in your own software.
The clamav package comes in three parts:
clamav: the executables and binaries
libclamav2: the shared library since 0.90.1
libclamav-devel: development resources (headers, static- and import
Cygwin Package Changes:
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page. This downloads setup.exe to your
system. Then, run setup and answer all of the questions.
*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there. It will be in the format:
If you need more information on unsubscribing, start reading here:
Please read *all* of the information on unsubscribing that is available
starting at this URL.
More information about the Cygwin-announce