A vulnerability has been reported in SquidClamav, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when parsing a URL, which may result in unescaped URLs to be passed to the system command call. This can be exploited to cause the daemon to crash via specially crafted characters (e.g. %0D or %0A).
The vulnerability is reported in versions prior to 5.8 and 6.7.
Update to version 5.8 or 6.7.
ok to stabilize 6.8 ?
Ok for me.
Arches, please test and mark stable:
Target KEYWORDS : "amd64 x86"
security, please vote.
Thanks, everyone. GLSA Vote: yes.
YES too, request filed.
The squidclamav_check_preview_handler function in squidclamav.c in
SquidClamav 5.x before 5.8 and 6.x before 6.7 passes an unescaped URL to a
system command call, which allows remote attackers to cause a denial of
service (daemon crash) via a URL with certain characters, as demonstrated
using %0D or %0A.
This issue was resolved and addressed in
GLSA 201209-08 at http://security.gentoo.org/glsa/glsa-201209-08.xml
by GLSA coordinator Sean Amoss (ackle).