CVE-2007-6337 Unknown impact remote attack

Bug #181830 reported by Leonel Nunez
254
Affects Status Importance Assigned to Milestone
Feisty Backports
Fix Released
Undecided
Unassigned
clamav (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Edgy
Invalid
Undecided
Unassigned
Feisty
Invalid
Undecided
Unassigned
Gutsy
Fix Released
Undecided
Kees Cook

Bug Description

Unspecified vulnerability in the bzip2 decompression algorithm in nsis/bzip_private.h in Clamav Before 0.92 has unknown impact and remote attack vectors.

CVE References

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

This debdiff is for gutsy

Packages build , installs fine checked with bzip2 files all worked fine.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Already fixed in 0.92 in Hardy.

Changed in clamav:
status: New → Fix Released
status: New → Won't Fix
status: New → Won't Fix
assignee: nobody → leonelnunez
status: New → In Progress
status: New → Triaged
Revision history for this message
Kees Cook (kees) wrote :

Thanks for getting this prepared! The debdiff needed some tweaking:
 - fuller description of the security issue itself
 - list of patches added
 - "Reference" section
 - "-security" pocket
 - add reference to this LP bug

I've updated it, and will be upload it shortly. Thanks!

Kees Cook (kees)
Changed in clamav:
assignee: nobody → keescook
status: Triaged → Fix Committed
Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Last time it happens .. sorry ..

Changed in clamav:
status: Won't Fix → Invalid
status: Won't Fix → Invalid
assignee: leonelnunez → nobody
status: In Progress → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.91.2-3ubuntu2.2

---------------
clamav (0.91.2-3ubuntu2.2) gutsy-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via bzip header overflow.
  * Add 28_bzlib_private.h-CVE-2007-6337.dpatch: upstream fixes for
    vulnerability in the bzip2 decompression algorithm (LP: #181830).
  * References
    CVE-2007-6337

 -- Leonel Nunez <email address hidden> Thu, 10 Jan 2008 10:36:03 -0700

Changed in clamav:
status: Fix Committed → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote :

Attached debdiff build and tested for Feisty for feisty-backports.

Changed in feisty-backports:
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.91.2-3ubuntu2.2~feisty1

---------------
clamav (0.91.2-3ubuntu2.2~feisty1) feisty-backports; urgency=low

  * Source backport to remove unneeded build-dep not available in Feisty
    (LP: #181830)
    - Remove build-dep on libcurl4-gnutls-dev and dependency on libcurl3-gnutls

 -- Scott Kitterman <email address hidden> Fri, 11 Jan 2008 00:17:01 -0500

Changed in clamav:
status: Invalid → Fix Released
Changed in feisty-backports:
status: Confirmed → Fix Released
Changed in clamav:
status: Fix Released → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.