Ubuntu
clamav package

[hardy] Multiple unfixed CVEs

Bug #271546 reported by Jürgen Kreileder
258
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
Undecided
Leonel Nunez
Dapper
Fix Released
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Leonel Nunez
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: clamav

libclamav/chmunpack.c in the chm-parser in ClamAV before 0.94 allows remote attackers to cause a denial of service (application crash) via a malformed CHM file, related to an "invalid memory access."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1389

libclamav in ClamAV before 0.94 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an out-of-memory condition.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3912

Multiple memory leaks in freshclam/manager.c in ClamAV before 0.94 might allow attackers to cause a denial of service (memory consumption) via unspecified vectors related to the "error path."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3913

Multiple unspecified vulnerabilities in ClamAV before 0.94 have unknown impact and attack vectors related to file descriptor leaks on the "error path" in (1) libclamav/others.c and (2) libclamav/sis.c.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3914

The version in hardy lts should be fixed/upgraded asap.

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 271546] [NEW] [hardy] Multiple unfixed CVEs

Work is already in progress to prepare patches for Dapper, Feisty, Gutsy,
and Hardy.

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

For cve-2008-1389 ubuntu version is not vulnerable

Tested the provided test files to crash the clamav and didn't crash

for cve-2008-3912 clamav has asigned the same bug number as for 3913 and 3914

Working on the patch for cve-2008-3913 and 3914

Leonel Nunez (leonelnunez)
Changed in clamav:
assignee: nobody → leonelnunez
Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Debdiff For Hardy applies, builds installs fine

Added a patch for CVE-2008-5314
for CVE-2008-1380 the module is disabled but we are working on the patch

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Debdiff corrected for hardy
Added reference to bug LP# 304017

Revision history for this message
Scott Kitterman (kitterman) wrote :

I've got the update running on a Hardy box with clamsmtp and it seems to work fine. I have not done any formal testing of the vulnerabilities.

Revision history for this message
Kees Cook (kees) wrote :

Leonel: great, thanks for getting this prepared. I've adjusted the changelog to follow the SUP format a little more closely. This is building in the security queue now.

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Dapper Debdiff applies builds installs and works fine

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Gutsy debdiff applies builds installs and works fine

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.92.1~dfsg2-1.1ubuntu0.4

---------------
clamav (0.92.1~dfsg2-1.1ubuntu0.4) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via out-of-memory null dereferences,
    memory leaks, and file descriptor leaks:
    - 29_CVE-2008-3912.dpatch: backported upstream fixes.
    - 30_CVE-2008-3913.dpatch: backported upstream fixes.
    - 31_CVE-2008-3914.dpatch: backported upstream fixes.
    - LP: #271546
  * SECURITY UPDATE: denial of service via crafted JPEG file
    - 32_cli_check_jpeg_exploit.dpatch: backported upstream fixes.
    - CVE-2008-5314, LP: #304017

 -- Leonel Nunez <email address hidden> Thu, 04 Dec 2008 10:47:40 -0700

Changed in clamav:
status: New → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote :

All fixed in 0.94.2 for Intrepid/Jaunty.

Changed in clamav:
status: New → Fix Released
status: New → Fix Released
assignee: nobody → leonelnunez
assignee: nobody → leonelnunez
Revision history for this message
Scott Kitterman (kitterman) wrote :

The changes for Dapper/Gutsy have been added to debdiffs in Bug #317923.

Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in clamav (Ubuntu Gutsy):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Dapper has version 0.95.3+dfsg-1ubuntu0.09.04~dapper4 which has no open CVEs.

Changed in clamav (Ubuntu Dapper):
assignee: Leonel Nunez (leonelnunez) → nobody
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.