CVE-2007-6595 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6595): ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled. CVE-2007-6596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6596): ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows remote attackers to bypass the scanner via a Base64-UUEncoded file.
I am not sure whether CVE-2007-6596 should be considered a security issue or rather a scanner weakness.
Rerating B4 for CVE-2007-6595 since (1) is really hard to exploit (as the file name is mostly random 128) and (2) is not a userspace tool. Do we even install it? Removing the reference to CVE-2007-6596. Reference: http://thread.gmane.org/gmane.comp.security.virus.clamav.user/28138 http://thread.gmane.org/gmane.comp.security.virus.clamav.user/28166
Yes, clamav installs sigtool by default. As for cli_gentempfd(), I suggest we wait for upstream. Although a fix (adding O_EXCL) has been suggested, it hasn't been approved by upstream yet.
0.92.1 has been released but its (source) ChangeLog does not reference these CVE's. it does mention CVE-2008-0318 though.
Fixed in this commit: http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=%2Ftrunk%2Flibclamav%2Fothers.c&rev=3490&sc=0 Can someone with a fast connection verify that our stable 0.92.1 contains this fix? In case of GLSA decision, I vote NO.
Oh, and the patch is for (1) only, (2) is still unfixed upstream.
(In reply to comment #5) > Fixed in this commit: > http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=%2Ftrunk%2Flibclamav%2Fothers.c&rev=3490&sc=0 > > Can someone with a fast connection verify that our stable 0.92.1 contains this > fix? > It does in clamav-0.92.1 glsa? -> I vote Yes because contrary to most other symlink attacks, the local attacker can trigger it without the assistance of any user. He simply has to send an email on the box. > In case of GLSA decision, I vote NO. >
outdated, see bug #213762
(In reply to comment #8) > outdated, see bug #213762 Did you verify that CVE-2007-6595 (2) is fixed in 0.93?
seems so, see https://wwws.clamav.net/bugzilla/show_bug.cgi?id=752
(In reply to comment #10) > seems so, > > see > https://wwws.clamav.net/bugzilla/show_bug.cgi?id=752 The last commit I could find to sigtool was in December. The upstream bug is closed, but that does not mean the issue has been taken care of.
(In reply to comment #11) > The last commit I could find to sigtool was in December. The upstream bug is > closed, but that does not mean the issue has been taken care of. Ok, the "last" commit I saw was wrong. Still, the issue remains.
Let's add the fixed part of this bug in a GLSA.
GLSA 200808-07 combining bug 204340 and bug 227351, thanks everyone.