DSA-1771

Executive Summary

Summary
Title	New clamav packages fix several vulnerabilities

Informations
Name	DSA-1771	First vendor Publication	2009-04-15
Vendor	Debian	Last vendor Modification	2009-04-15
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score	7.8	Attack Range	Network
Cvss Impact Score	6.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentification	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Several vulnerabilities have been discovered in the ClamAV anti-virus toolkit:

CVE-2008-6680

Attackers can cayse a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error.

CVE-2009-1270

Attackers can cause a denial of service (infinite loop) via a crafted tar file that causes (1) clamd and (2) clamscan to hang.

(no CVE Id yet)

Attackers can cause a denial of service (crash) via a crafted EXE file that crashes the UPack unpacker.

For the old stable distribution (etch), these problems have been fixed in version 0.90.1dfsg-4etch19.

For the stable distribution (lenny), these problems have been fixed in version 0.94.dfsg.2-1lenny2.

For the unstable distribution (sid), these problems have been fixed in version 0.95.1+dfsg-1.

We recommend that you upgrade your clamav packages.

Original Source

Url : http://www.debian.org/security/2009/dsa-1771

CWE : Common Weakness Enumeration

id	Name
CWE-189	Numeric Errors
CWE-94	Failure to Control Generation of Code ('Code Injection')
CWE-20	Improper Input Validation

CPE : Common Platform Enumeration

Type	Description	Count
Application	Cclamav Clamav cpe:/a:cclamav:clamav:0.14	1
Application	Clamav Clamav cpe:/a:clamav:clamav:0.95 cpe:/a:clamav:clamav:0.95:src1 cpe:/a:clamav:clamav:0.95:src2 cpe:/a:clamav:clamav:0.94.2 cpe:/a:clamav:clamav:0.94.1 cpe:/a:clamav:clamav:0.94 cpe:/a:clamav:clamav:0.93.3 cpe:/a:clamav:clamav:0.93.2 cpe:/a:clamav:clamav:0.93.1 cpe:/a:clamav:clamav:0.93 cpe:/a:clamav:clamav:0.92.1 cpe:/a:clamav:clamav:0.92_p0 cpe:/a:clamav:clamav:0.92 cpe:/a:clamav:clamav:0.91.2_p0 cpe:/a:clamav:clamav:0.91.2 cpe:/a:clamav:clamav:0.91.1 cpe:/a:clamav:clamav:0.91_rc2 cpe:/a:clamav:clamav:0.91_rc1 cpe:/a:clamav:clamav:0.91 cpe:/a:clamav:clamav:0.90.3_p1 cpe:/a:clamav:clamav:0.90.3_p0 cpe:/a:clamav:clamav:0.90.3 cpe:/a:clamav:clamav:0.90.2_p0 cpe:/a:clamav:clamav:0.90.2 cpe:/a:clamav:clamav:0.90.1_p0 cpe:/a:clamav:clamav:0.90.1 cpe:/a:clamav:clamav:0.90_rc3 cpe:/a:clamav:clamav:0.90_rc2 cpe:/a:clamav:clamav:0.90_rc1.1 cpe:/a:clamav:clamav:0.90_rc1 cpe:/a:clamav:clamav:0.90 cpe:/a:clamav:clamav:0.9_rc1 cpe:/a:clamav:clamav:0.88.7_p1 cpe:/a:clamav:clamav:0.88.7_p0 cpe:/a:clamav:clamav:0.88.7 cpe:/a:clamav:clamav:0.88.6 cpe:/a:clamav:clamav:0.88.5 cpe:/a:clamav:clamav:0.88.4 cpe:/a:clamav:clamav:0.88.3 cpe:/a:clamav:clamav:0.88.2 cpe:/a:clamav:clamav:0.88.1 cpe:/a:clamav:clamav:0.88 cpe:/a:clamav:clamav:0.87.1 cpe:/a:clamav:clamav:0.87 cpe:/a:clamav:clamav:0.86.2 cpe:/a:clamav:clamav:0.86.1 cpe:/a:clamav:clamav:0.86_rc1 cpe:/a:clamav:clamav:0.86 cpe:/a:clamav:clamav:0.85.1 cpe:/a:clamav:clamav:0.85 cpe:/a:clamav:clamav:0.84_rc2 cpe:/a:clamav:clamav:0.84_rc1 cpe:/a:clamav:clamav:0.84 cpe:/a:clamav:clamav:0.83 cpe:/a:clamav:clamav:0.82 cpe:/a:clamav:clamav:0.81_rc1 cpe:/a:clamav:clamav:0.81 cpe:/a:clamav:clamav:0.80_rc3 cpe:/a:clamav:clamav:0.80_rc2 cpe:/a:clamav:clamav:0.80_rc1 cpe:/a:clamav:clamav:0.80_rc cpe:/a:clamav:clamav:0.80 cpe:/a:clamav:clamav:0.80:rc4 cpe:/a:clamav:clamav:0.8_:rc3 cpe:/a:clamav:clamav:0.75.1 cpe:/a:clamav:clamav:0.75 cpe:/a:clamav:clamav:0.74 cpe:/a:clamav:clamav:0.73 cpe:/a:clamav:clamav:0.72 cpe:/a:clamav:clamav:0.71 cpe:/a:clamav:clamav:0.70 cpe:/a:clamav:clamav:0.70:rc cpe:/a:clamav:clamav:0.68.1 cpe:/a:clamav:clamav:0.68 cpe:/a:clamav:clamav:0.67-1 cpe:/a:clamav:clamav:0.67 cpe:/a:clamav:clamav:0.66 cpe:/a:clamav:clamav:0.65 cpe:/a:clamav:clamav:0.60p cpe:/a:clamav:clamav:0.60 cpe:/a:clamav:clamav:0.54 cpe:/a:clamav:clamav:0.53 cpe:/a:clamav:clamav:0.52 cpe:/a:clamav:clamav:0.51 cpe:/a:clamav:clamav:0.3 cpe:/a:clamav:clamav:0.24 cpe:/a:clamav:clamav:0.23 cpe:/a:clamav:clamav:0.22 cpe:/a:clamav:clamav:0.21 cpe:/a:clamav:clamav:0.20 cpe:/a:clamav:clamav:0.15 cpe:/a:clamav:clamav:0.14:pre cpe:/a:clamav:clamav:0.13 cpe:/a:clamav:clamav:0.12 cpe:/a:clamav:clamav:0.10 cpe:/a:clamav:clamav:0.05 cpe:/a:clamav:clamav:0.03 cpe:/a:clamav:clamav:0.02 cpe:/a:clamav:clamav:0.01	99
Application	Clamavclamav 0.11 cpe:/a:clamavclamav:0.11	1
Application	Clamavclamav 0.80 Rc4 cpe:/a:clamavclamav:0.80_rc4	1
Application	Clamavs Clamav cpe:/a:clamavs:clamav:0.24 cpe:/a:clamavs:clamav:0.06 cpe:/a:clamavs:clamav:0.04	3

Open Source Vulnerability Database (OSVDB)

id	Description
53602	ClamAV Malformed UPack Packed File Handling DoS
53598	ClamAV --detect-broken Option PE File Handling DoS
53461	ClamAV libclamav/untar.c clamd / clamscan Infinite Loop DoS