Segfault with corrupted DOC files with ArchiveMaxFiles 10000. See Debian bug
for full details.
antivirus/net-mail please advise.
Nothing yet upstream afaict
This is CAN-2005-3239
Still nothing upstream.
Created attachment 71477 [details, diff]
Patch extracted from clamav CVS, untested.
antivirus / net-mail: please check/apply patch and bump.
I'm sorry, I'll be out of touch until Monday, so I can't do this one on time.
BTW, is there a sample corrupted .doc file to test on? I couldn't find any.
There is one on the Debian bug :
There is 0.87.1 out which fixes this. Ebuild is now in portage, x86 already
tested and stable.
Arches please test and mark stable.
Potential additional security fixorz :
- libclamav/petite.c: fix boundary checks (acab)
- libclamav/mbox.c: scan attachments that have no filename (njh)
- libclamav/fsg.c: fix buffer size calculation in unfsg_133
Reported by Zero Day Initiative (ZDI-CAN-004)
- libclamav/tnef.c: fix possible infinite loop
Reported by iDEFENSE (IDEF1169).
- libclamav/mspack/cabd.c: fix possible infinite loop in cabd_find (tk)
Reported by iDEFENSE (IDEF1180).
marked ppc64 stable
0.87.1 stable on alpha
The fsg thing allows remote code execution :
ZDI-05-002: Clam Antivirus Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable ClamAV installations. Authentication is not required to
exploit this vulnerability.
This specific flaw exists within libclamav/fsg.c during the unpacking of
executable files compressed with FSG v1.33. Due to invalid bounds
checking when copying user-supplied data to heap allocated memory, an
exploitable memory corruption condition is created. The unpacking
algorithm for other versions of FSG is not affected.
Stable on ppc and hppa.
amd64 happy too
ia64 don't forget to mark stable.