Heap-based buffer overflow in libclamav/upx.c in Clam Antivirus (ClamAV) before 0.88 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted UPX files.

A heap overflow has been discovered in ClamAV, a virus scanner, which could allow an attacker to execute arbitrary code by sending a carefully crafted UPX-encoded executable to a system running ClamAV.
In addition, other potential overflows have been corrected.

Packages for the ARM architecture were not available when DSA 947-1 was released; these packages are now available. Also, DSA 947-1 incorrectly identified the package version which corrected these issues in the unstable distribution (sid).

The Zero Day Initiative reports :

This vulnerability allows remote attackers to execute arbitrary code on vulnerable Clam AntiVirus installations. Authentication is not required to exploit this vulnerability.

This specific flaw exists within libclamav/upx.c during the unpacking of executable files compressed with UPX. Due to an invalid size calculation during a data copy from the user-controlled file to heap allocated memory, an exploitable memory corruption condition is created.

A heap-based buffer overflow was discovered in ClamAV versions prior to 0.88 which allows remote attackers to cause a crash and possibly execute arbitrary code via specially crafted UPX files.

This update provides ClamAV 0.88 which corrects this issue and also fixes some other bugs.

The remote host is affected by the vulnerability described in GLSA-200601-07 (ClamAV: Remote execution of arbitrary code)

    Zero Day Initiative (ZDI) reported a heap buffer overflow     vulnerability. The vulnerability is due to an incorrect boundary check     of the user-supplied data prior to copying it to an insufficiently     sized memory buffer. The flaw occurs when the application attempts to     handle compressed UPX files.
  Impact :

    For example by sending a maliciously crafted UPX file into a mail     server that is integrated with ClamAV, a remote attacker's supplied     code could be executed with escalated privileges.
  Workaround :

    There is no known workaround at this time.

The remote host is running ClamAV, an open-source antivirus solution for Unix and Windows systems.  This version of ClamAV is reported to be vulnerable to a flaw where the parsing of a malicious file will cause the clamav process to execute arbitrary code.  While the details of the attack are currently unknown, it is rumoured that an attacker exploiting this flaw would only need to be able to craft and send a malformed email to a ClamAV server.  Successful exploitation results in the server executing arbitrary code or crashing. 

ID	Name	Product	Family	Severity
22813	Debian DSA-947-2 : clamav - heap overflow	Nessus	Debian Local Security Checks	high
21439	FreeBSD : clamav -- possible heap overflow in the UPX code (612a34ec-81dc-11da-a043-0002a5c3d308)	Nessus	FreeBSD Local Security Checks	high
20795	Mandrake Linux Security Advisory : clamav (MDKSA-2006:016)	Nessus	Mandriva Local Security Checks	high
20417	GLSA-200601-07 : ClamAV: Remote execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
3362	ClamAV < 0.88.0 UPX File Processing Overflow (deprecated)	Nessus Network Monitor	Web Clients	high

Detections

Analytics

CVE-2006-0162

high

Tenable Plugins

high

high

high

high

high