Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 128963

Summary: app-antivirus/clamav: several vulnerabilities (CVE-2006-16{1{4|5}|30})
Product: Gentoo Security Reporter: Jasper Bryant-Greene <jasper>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: antivirus, casta, hybiepoo, net-mail+disabled, sgtphou, technoworx
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Jasper Bryant-Greene 2006-04-05 14:07:24 UTC 
- --------------------------------------------------------------------------
Debian Security Advisory DSA 1024-1                    security@debian.org
http://www.debian.org/security/                         Moritz Muehlenhoff
April 5th, 2006                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : clamav 
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2006-1614 CVE-2006-1615 CVE-2006-1630

Several remote vulnerabilities have been discovered in the ClamAV
anti-virus toolkit, which may lead to denial of service and potentially
to the execution of arbitrary code. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2006-1614

    Damian Put discovered an integer overflow in the PE header parser.
    This is only exploitable if the ArchiveMaxFileSize option is disabled.

CVE-2006-1615

    Format string vulnerabilities in the logging code have been discovered,
    which might lead to the execution of arbitrary code.

CVE-2006-1630
    
    David Luyer discovered, that ClamAV can be tricked into an invalid
    memory access in the cli_bitset_set() function, which may lead to
    a denial of service.

The old stable distribution (woody) doesn't contain clamav packages.

For the stable distribution (sarge) these problems have been fixed in
version 0.84-2.sarge.8.

For the unstable distribution (sid) these problems have been fixed in
version 0.88.1-1.

We recommend that you upgrade your clamav package.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-05 14:20:56 UTC 
net-mail/antivirus please advise and provide an updated ebuild as necessary.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-06 04:35:45 UTC 
*** Bug 129013 has been marked as a duplicate of this bug. ***
Comment 3 Christian Birchinger (RETIRED) gentoo-dev 2006-04-06 06:48:11 UTC 
Coping clamav-0.88.ebuild to clamav-0.88.1.ebuild worked fine here.

I'm using it in procmail with clamassassin. Example:

X-Virus-Status: Yes
X-Virus-Report: Worm.Sober.U-3 FOUND 
X-Virus-Checker-Version: clamassassin 1.2.3 with clamdscan / ClamAV 0.88.1/1377/Thu Apr  6 08:17:48 2006
Comment 4 Andrej Kacian (RETIRED) gentoo-dev 2006-04-06 07:31:36 UTC 
I can do that at around midnight CEST today - the first thing I'll do after getting back from work. Can't do it any sooner, sorry.

I won't mind if someone else beats me to it - the bump should be trivial.
Comment 5 Patrick McLean gentoo-dev 2006-04-06 08:22:14 UTC 
I did the bump, it was pretty trivial, tested on our main mail server here and is working fine.

Adding arches for the stabilization.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-06 11:26:36 UTC 
ppc stable
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-06 11:36:18 UTC 
Seems like default configuration is at least vulnerable to the format string issue so this is a B1 instead of a C1. So arches please be quick:-)
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2006-04-06 11:40:24 UTC 
stable on ppc64
Comment 9 Fernando J. Pereda (RETIRED) gentoo-dev 2006-04-06 12:07:12 UTC 
Alpha done.
Comment 10 solar (RETIRED) gentoo-dev 2006-04-06 12:25:08 UTC 
CVE-2006-1630 does not seem to exist or is under any review.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1630
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2006-04-06 17:12:36 UTC 
sparc stable.
Comment 12 Jakub Moc (RETIRED) gentoo-dev 2006-04-07 00:03:53 UTC 
*** Bug 129081 has been marked as a duplicate of this bug. ***
Comment 13 Simon Stelling (RETIRED) gentoo-dev 2006-04-07 02:14:13 UTC 
amd64 stable
Comment 14 Matthias Langer 2006-04-07 08:28:41 UTC 
I've done some basic testing with clamav-0.88.1 ( +crypt -mailwrapper -milter (-selinux)) on x86. Basic due the fact, that just tested clamscan and freshclam. However, these two seem to work fine ...

Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.15-gentoo-r5 i686)
=================================================================
System uname: 2.6.15-gentoo-r5 i686 AMD Athlon(tm) XP 2400+
Gentoo Base System version 1.6.14
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=athlon-xp -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig colission-protect distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.inode.at/ "
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
LINGUAS="en de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://192.168.0.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aalib alsa apm audiofile avi berkdb bitmap-fonts bonobo bzip2 bzlib cairo cdr cli crypt css ctype cups curl dba dbus divx4linux dri dts dv dvd dvdr dvdread emboss encode evo exif expat fam fame fastbuild ffmpeg firefox flac foomaticdb force-cgi-redirect fortran ftp gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hal idn imagemagick imlib ipv6 isdnlog java jpeg junit lcms libg++ libwww mad memlimit mhash mikmod mmx mmxext mng motif mp3 mpeg nautilus ncurses nls nptl nsplugin nvidia ogg oggvorbis openal opengl pam pcre pdflib perl plotutils png posix pppd python quicktime readline real ruby sdl session simplexml slang soap sockets speex spell spl sqlite sse ssl subtitles svga tcltk tcpd tetex theora tiff tokenizer truetype truetype-fonts type1-fonts udev unicode usb vcd video_cards_nvidia vorbis win32codecs wma xine xml xml2 xmms xsl xv xvid zlib linguas_en linguas_de userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS
Comment 15 René Nussbaumer (RETIRED) gentoo-dev 2006-04-07 09:05:07 UTC 
stable on hppa
Comment 16 Mark Loeser (RETIRED) gentoo-dev 2006-04-07 11:05:10 UTC 
x86 done
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-07 12:57:54 UTC 
Thx everyone!

GLSA ID:  200604-06