- -------------------------------------------------------------------------- Debian Security Advisory DSA 1024-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff April 5th, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : clamav Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-1614 CVE-2006-1615 CVE-2006-1630 Several remote vulnerabilities have been discovered in the ClamAV anti-virus toolkit, which may lead to denial of service and potentially to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-1614 Damian Put discovered an integer overflow in the PE header parser. This is only exploitable if the ArchiveMaxFileSize option is disabled. CVE-2006-1615 Format string vulnerabilities in the logging code have been discovered, which might lead to the execution of arbitrary code. CVE-2006-1630 David Luyer discovered, that ClamAV can be tricked into an invalid memory access in the cli_bitset_set() function, which may lead to a denial of service. The old stable distribution (woody) doesn't contain clamav packages. For the stable distribution (sarge) these problems have been fixed in version 0.84-2.sarge.8. For the unstable distribution (sid) these problems have been fixed in version 0.88.1-1. We recommend that you upgrade your clamav package.
net-mail/antivirus please advise and provide an updated ebuild as necessary.
*** Bug 129013 has been marked as a duplicate of this bug. ***
Coping clamav-0.88.ebuild to clamav-0.88.1.ebuild worked fine here. I'm using it in procmail with clamassassin. Example: X-Virus-Status: Yes X-Virus-Report: Worm.Sober.U-3 FOUND X-Virus-Checker-Version: clamassassin 1.2.3 with clamdscan / ClamAV 0.88.1/1377/Thu Apr 6 08:17:48 2006
I can do that at around midnight CEST today - the first thing I'll do after getting back from work. Can't do it any sooner, sorry. I won't mind if someone else beats me to it - the bump should be trivial.
I did the bump, it was pretty trivial, tested on our main mail server here and is working fine. Adding arches for the stabilization.
ppc stable
Seems like default configuration is at least vulnerable to the format string issue so this is a B1 instead of a C1. So arches please be quick:-)
stable on ppc64
Alpha done.
CVE-2006-1630 does not seem to exist or is under any review. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1630
sparc stable.
*** Bug 129081 has been marked as a duplicate of this bug. ***
amd64 stable
I've done some basic testing with clamav-0.88.1 ( +crypt -mailwrapper -milter (-selinux)) on x86. Basic due the fact, that just tested clamscan and freshclam. However, these two seem to work fine ... Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.15-gentoo-r5 i686) ================================================================= System uname: 2.6.15-gentoo-r5 i686 AMD Athlon(tm) XP 2400+ Gentoo Base System version 1.6.14 dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig colission-protect distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.inode.at/ " LANG="en_US.utf8" LC_ALL="en_US.utf8" LINGUAS="en de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://192.168.0.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aalib alsa apm audiofile avi berkdb bitmap-fonts bonobo bzip2 bzlib cairo cdr cli crypt css ctype cups curl dba dbus divx4linux dri dts dv dvd dvdr dvdread emboss encode evo exif expat fam fame fastbuild ffmpeg firefox flac foomaticdb force-cgi-redirect fortran ftp gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hal idn imagemagick imlib ipv6 isdnlog java jpeg junit lcms libg++ libwww mad memlimit mhash mikmod mmx mmxext mng motif mp3 mpeg nautilus ncurses nls nptl nsplugin nvidia ogg oggvorbis openal opengl pam pcre pdflib perl plotutils png posix pppd python quicktime readline real ruby sdl session simplexml slang soap sockets speex spell spl sqlite sse ssl subtitles svga tcltk tcpd tetex theora tiff tokenizer truetype truetype-fonts type1-fonts udev unicode usb vcd video_cards_nvidia vorbis win32codecs wma xine xml xml2 xmms xsl xv xvid zlib linguas_en linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS
stable on hppa
x86 done
Thx everyone! GLSA ID: 200604-06
