Victor Stinner has reported a vulnerability in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the OLE2 parser when handling objects with malformed FAT partitions and large property sizes. This can be exploited to cause a DoS due to storage and CPU resource consumption by scanning a specially crafted OLE2 file. Solution: There is no known solution at this time.
setting status, cc'ing herds, and waiting for upstream.
adding CVE ref: CVE-2007-2650, still no solution from upstream.
seems upstream fixed this in version 0.90.3 (see bug #180469). maintainers, please advise and bump as necessary.
*** Bug 180469 has been marked as a duplicate of this bug. ***
I'm not sure exactly what is fixed with this release. For once the Changelog is a bit vague. Maintainers please advise.
All these are fixed in 0.90.3: - libclamav/unsp.c: fix end of buffer calculation (bb#464, patch from aCaB) --> i can't see how this could be exploitable for something more severe than a DoS. See the patch here: https://wwws.clamav.net/bugzilla/attachment.cgi?id=338 - libclamav/others.c: use strict permissions (0600) for temporary files created in cli_gentempstream() (bb#517). Reported by Christoph Probst. --> insecure creation of temporary file - libclamav/ole2_extract.c: detect block list loop (bb#466), patch from Trog --> DoS - libclamav/phishcheck.c: bb #497 --> Hang on Solaris - libclamav/unrar/unrar.c: Bug #521, #368 --> heap corruption, DoS (apparently non exploitable for code injection) Maintainer(s), please bump 0.90.3 if possible, thanks.
0.90.3 has been in the tree shortly after the release. I merely judged (from the ChangeLog, as well as from lack of any other updates on this elsewhere) that the particular OLE2 vulnerability is not addressed.
Thx for the clarification Ticho. Arches please test and mark stable. Target keywords are: clamav-0.90.3.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
amd64 done
1. emerges on x86 2. passes test suite 3. passes collision test 4. works Portage 2.1.2.7 (default-linux/x86/2006.1, gcc-4.1.2, glibc-2.5-r3, 2.6.17-gentoo-r8-panic i686) ================================================================= System uname: 2.6.17-gentoo-r8-panic i686 Intel(R) Pentium(R) M processor 2.00GHz Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 02 Jun 2007 14:00:01 +0000 ccache version 2.4 [disabled] dev-java/java-config: 1.3.7, 2.0.32 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="it_IT.UTF-8" LC_ALL="C" LINGUAS="it" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/webapps-experimental /usr/portage/local/layman/sunrise" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acpi adns alsa apache arts asf ati avi bash-completion beagle berkdb bitmap-fonts browserplugin bzip2 cairo caps cdr cli cracklib crd crypt cups curl daap dbus dga djvu dmi dri dts dvd dvdr dvi emacs evo exif fbcon ffmpeg firefox flac foomatic fortran gdbm gif gimpprint glitz gnome gnutls gpm gtk hal i810 iconv imagemagick intel ipod ipv6 isdnlog java jpeg kde libg++ libnotify libsexy lns mad midi mmap mmx mng mono mozilla moznocompose moznoirc moznomail mozsvg mp3 mp4 mpeg mudflap musepack nautilus ncurses network njb nls nptl nptlonly nsplugin numeric ogg ole opengl openmp openntpd oss pam pcre pdf perl php png portaudio posix ppds pppd pwdb python qt qt3 radeon readline real reflection samba sdl session sndfile spl sse sse2 ssl svg t1lib tcpd test theora threads truetype-fonts type1-fonts unicode usb v4l vcd vorbis win32codecs wma wmf wmv wxwindows x264 x86 xine xml2 xorg xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it" USERLAND="GNU" VIDEO_CARDS="vesa i810 vga" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS For me Stable in x86
Stable for HPPA.
alpha/ia64/x86 stable
stable on ppc.
ppc64 stable
sparc stable.
This one is ready for GLSA decision. I tend to vote NO.
I tend to vote NO too.
ClamAV DoS means MTA DoS, which is evil. I fully vote Yes.
Amavisd-new does indeed pull this in. Changing my vote to full YES.
(In reply to comment #7) > 0.90.3 has been in the tree shortly after the release. I merely judged (from > the ChangeLog, as well as from lack of any other updates on this elsewhere) > that the particular OLE2 vulnerability is not addressed. > AFAICT the OLE2 vulnerability, clamav bug #466 [1], is fixed in 0.9.3 (patch by Thomasz Kojm, Tue May 29 17:42:12 CEST 2007 [2] ) https://wwws.clamav.net/bugzilla/show_bug.cgi?id=466 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
GLSA 200706-05
