Description A vulnerability has been reported in SquidClamav, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when parsing a URL, which may result in unescaped URLs to be passed to the system command call. This can be exploited to cause the daemon to crash via specially crafted characters (e.g. %0D or %0A). The vulnerability is reported in versions prior to 5.8 and 6.7. Solution Update to version 5.8 or 6.7.
ok to stabilize 6.8 ?
Ok for me.
Arches, please test and mark stable: =net-proxy/squidclamav-6.8 Target KEYWORDS : "amd64 x86"
x86 stable
amd64 stable
security, please vote.
Thanks, everyone. GLSA Vote: yes.
YES too, request filed.
CVE-2012-3501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3501): The squidclamav_check_preview_handler function in squidclamav.c in SquidClamav 5.x before 5.8 and 6.x before 6.7 passes an unescaped URL to a system command call, which allows remote attackers to cause a denial of service (daemon crash) via a URL with certain characters, as demonstrated using %0D or %0A.
This issue was resolved and addressed in GLSA 201209-08 at http://security.gentoo.org/glsa/glsa-201209-08.xml by GLSA coordinator Sean Amoss (ackle).