This version upgrade to 0.92.1 fixes numerous flaws including some security problems (CVE-2008-0318, CVE-2008-0728).

Please note that the version number of the clamav library has changed with version 0.92. Programs linked against older libclamav therefore need to be updated as well.

The remote host is affected by the vulnerability described in GLSA-200802-09 (ClamAV: Multiple vulnerabilities)

    An integer overflow has been reported in the 'cli_scanpe()' function in     file libclamav/pe.c (CVE-2008-0318). Another unspecified vulnerability     has been reported in file libclamav/mew.c (CVE-2008-0728).
  Impact :

    A remote attacker could entice a user or automated system to scan a     specially crafted file, possibly leading to the execution of arbitrary     code with the privileges of the user running ClamAV (either a system     user or the 'clamav' user if clamd is compromised).
  Workaround :

    There is no known workaround at this time.

contains: - libclamav/mew.c: fix possible heap corruption (bb#806) - libclamav/pe.c: fix possible integer overflow (CVE-2008-0318) contains: - libclamav/mew.c: fix possible heap corruption (bb#806) - libclamav/pe.c: fix possible integer overflow (CVE-2008-0318)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

contains: - libclamav/mew.c: fix possible heap corruption (bb#806) - libclamav/pe.c: fix possible integer overflow (CVE-2008-0318)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were discovered in ClamAV and corrected with the 0.93 release, including :

ClamAV 0.92 allowed local users to overwrite arbitrary files via a symlink attack on temporary files or on .ascii files in sigtool, when utf16-decode is enabled (CVE-2007-6595).

ClamAV 0.92 did not recognize Base64 uuencoded archives, which allowed remoted attackers to bypass the sanner via a base64-uuencoded file (CVE-2007-6596).

A heap-based buffer overflow in ClamAV 0.92.1 allowed remote attackers to execute arbitrary code via a crafted PeSpin packed PE binary (CVE-2008-0314).

An integer overflow in libclamav prior to 0.92.1 allowed remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggered a heap-based buffer overflow (CVE-2008-0318).

An unspecified vulnerability in ClamAV prior to 0.92.1 triggered heap corruption (CVE-2008-0728).

A buffer overflow in ClamAV 0.92 and 0.92.1 allowed remote attackers to execute arbitrary code via a crafted Upack PE file (CVE-2008-1100).

ClamAV prior to 0.93 allowed remote attackers to cause a denial of service (CPU consumption) via a crafted ARJ archive (CVE-2008-1387).

A heap-based buffer overflow in ClamAV 0.92.1 allowed remote attackers to execute arbitrary code via a crafted WWPack compressed PE binary (CVE-2008-1833).

ClamAV prior to 0.93 allowed remote attackers to bypass the scanning engine via a RAR file with an invalid version number (CVE-2008-1835).

A vulnerability in rfc2231 handling in ClamAV prior to 0.93 allowed remote attackers to cause a denial of service (crash) via a crafted message that produced a string that was not null terminated, triggering a buffer over-read (CVE-2008-1836).

A vulnerability in libclamunrar in ClamAV prior to 0.93 allowed remote attackers to cause a denial of service (crash) via a crafted RAR file (CVE-2008-1837).

Other bugs have also been corrected in 0.93 which is being provided with this update. Because this new version has increased the major of the libclamav library, updated dependent packages are also being provided.

This version upgrade to 0.92.1 fixes numerous flaws including some security problems. (CVE-2008-0318 / CVE-2008-0728)

Please note that the version number of the clamav library has changed in version 0.92. Programs linked against older libclamav therefore need to be updated as well.

Several vulnerabilities have been discovered in the Clam anti-virus toolkit, which may lead to the execution of arbitrary code or local denial of service. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-6595     It was discovered that temporary files are created     insecurely, which may result in local denial of service     by overwriting files.

  - CVE-2008-0318     Silvio Cesare discovered an integer overflow in the     parser for PE headers.

The version of clamav in the old stable distribution (sarge) is no longer supported with security updates.

iDefense Security Advisory 02.12.08 :

Remote exploitation of an integer overflow vulnerability in Clam AntiVirus' ClamAV, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process.

The vulnerability exists within the code responsible for parsing and scanning PE files. While iterating through all sections contained in the PE file, several attacker controlled values are extracted from the file. On each iteration, arithmetic operations are performed without taking into consideration 32-bit integer wrap.

Since insufficient integer overflow checks are present, an attacker can cause a heap overflow by causing a specially crafted Petite packed PE binary to be scanned. This results in an exploitable memory corruption condition.

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav. In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing. Workaround Disabling the scanning of PE files will prevent exploitation.

If using clamscan, this can be done by running clamscan with the '--no-pe' option.

If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.

The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. 

This update contains several security fixes for a number of programs.

The remote host is running ClamAV client.

This version of ClamAV is vulnerable to several flaws due to the way that it parses user-supplied input.  It has been reported that there is a heap overflow within the 'mew.c' file.  It has further been reported that there is an integer overflow in the 'cli_scanpe' function of the 'pe.c' file.  An attacker exploiting these flaws would either crash the service or execute arbitrary code on the remote machine. 

ID	Name	Product	Family	Published	Updated	Severity
31112	openSUSE 10 Security Update : clamav (clamav-5009)	Nessus	SuSE Local Security Checks	2/18/2008	1/14/2021	critical
31157	GLSA-200802-09 : ClamAV: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	2/25/2008	1/6/2021	critical
31075	Fedora 7 : clamav-0.92.1-1.fc7 (2008-1608)	Nessus	Fedora Local Security Checks	2/14/2008	1/11/2021	critical
31077	Fedora 8 : clamav-0.92.1-1.fc8 (2008-1625)	Nessus	Fedora Local Security Checks	2/14/2008	1/11/2021	critical
37368	Mandriva Linux Security Advisory : clamav (MDVSA-2008:088)	Nessus	Mandriva Local Security Checks	4/23/2009	1/6/2021	critical
31111	SuSE 10 Security Update : clamav (ZYPP Patch Number 5008)	Nessus	SuSE Local Security Checks	2/18/2008	1/14/2021	critical
31102	Debian DSA-1497-1 : clamav - several vulnerabilities	Nessus	Debian Local Security Checks	2/18/2008	1/4/2021	critical
31109	FreeBSD : clamav -- ClamAV libclamav PE File Integer Overflow Vulnerability (be4b0529-dbaf-11dc-9791-000ea6702141)	Nessus	FreeBSD Local Security Checks	2/18/2008	1/6/2021	critical
31605	Mac OS X Multiple Vulnerabilities (Security Update 2008-002)	Nessus	MacOS X Local Security Checks	3/19/2008	7/14/2018	critical
4375	ClamAV < 0.92.1 Multiple Overflows (deprecated)	Nessus Network Monitor	Web Clients	2/13/2008	3/6/2019	high

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical

critical

critical

high