Updated: clamav-0.91.2-1 SECURITY

Reini Urban rurban@x-ray.at
Fri Sep 21 22:18:00 GMT 2007


The cygwin clamav packages (Clam AntiVirus - GPL anti-virus toolkit)
has been updated to 0.91.2-1.
This is a SECURITY update: Gentoo Linux Security Advisory GLSA 200709-14

Vulnerabilities have been discovered in ClamAV allowing remote
execution of arbitrary code and Denial of Service attacks.

Description
===========

Nikolaos Rangos discovered a vulnerability in ClamAV which exists
because the recipient address extracted from email messages is not
properly sanitized before being used in a call to "popen()" when
executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference
errors exist within the "cli_scanrtf()" function in libclamav/rtf.c and
Stefanos Stamatis discovered a NULL-pointer dereference vulnerability
within the "cli_html_normalise()" function in libclamav/htmlnorm.c
(CVE-2007-4510).

Impact
======

The unsanitized recipient address can be exploited to execute arbitrary
code with the privileges of the clamav-milter process by sending an
email with a specially crafted recipient address to the affected
system. Also, the NULL-pointer dereference errors can be exploited to
crash ClamAV. Successful exploitation of the latter vulnerability
requires that clamav-milter is started with the "black hole" mode
activated, which is not enabled by default.

References
==========

   [ 1 ] CVE-2007-4510
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4510
   [ 2 ] CVE-2007-4560
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4560

About
======
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a commandline scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
the Clam AntiVirus package, which you can use in your own software.

See http://freshmeat.net/projects/clamav/
ChangeLog: http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog

The clamav package comes in three parts:

clamav:      the executables and binaries
libclamav2:  the shared library since 0.90.1
libclamav-devel: development resources (headers, static- and import
            libraries)

Cygwin Package Changes:
* none

========================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.

                *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available
starting at this URL.




More information about the Cygwin-announce mailing list