Segfault with corrupted DOC files with ArchiveMaxFiles 10000. See Debian bug for full details.
antivirus/net-mail please advise.
Nothing yet upstream afaict
This is CAN-2005-3239
Still nothing upstream.
Created attachment 71477 [details, diff] clamav-CVE-2005-3239.patch Patch extracted from clamav CVS, untested.
antivirus / net-mail: please check/apply patch and bump.
I'm sorry, I'll be out of touch until Monday, so I can't do this one on time. BTW, is there a sample corrupted .doc file to test on? I couldn't find any.
There is one on the Debian bug : http://bugs.debian.org/cgi-bin/bugreport.cgi/KOCH.DOC?bug=333566;msg=19;att=1
There is 0.87.1 out which fixes this. Ebuild is now in portage, x86 already tested and stable.
Arches please test and mark stable.
Potential additional security fixorz : - libclamav/petite.c: fix boundary checks (acab) - libclamav/mbox.c: scan attachments that have no filename (njh) - libclamav/fsg.c: fix buffer size calculation in unfsg_133 Reported by Zero Day Initiative (ZDI-CAN-004) - libclamav/tnef.c: fix possible infinite loop Reported by iDEFENSE (IDEF1169). - libclamav/mspack/cabd.c: fix possible infinite loop in cabd_find (tk) Reported by iDEFENSE (IDEF1180).
sparc stable.
marked ppc64 stable
0.87.1 stable on alpha
The fsg thing allows remote code execution : )))))))))))))))) ZDI-05-002: Clam Antivirus Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-05-002.html CAN-2005-3303 This vulnerability allows remote attackers to execute arbitrary code on vulnerable ClamAV installations. Authentication is not required to exploit this vulnerability. This specific flaw exists within libclamav/fsg.c during the unpacking of executable files compressed with FSG v1.33. Due to invalid bounds checking when copying user-supplied data to heap allocated memory, an exploitable memory corruption condition is created. The unpacking algorithm for other versions of FSG is not affected. )))))))))))))))))
Stable on ppc and hppa.
amd64 happy too
GLSA 200511-04 ia64 don't forget to mark stable.