Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 17 Jun 2008 22:52:31 +0300
From: Török Edwin <edwin@...mav.net>
To: Eren Türkay <turkay.eren@...il.com>
CC: oss-security@...ts.openwall.com
Subject: Re: CVE id request: Clamav

Eren Türkay wrote:
> On 17 Jun 2008 Tue 10:38:13 Eren Türkay wrote:
>>   * libclamav/mbox.c, shared/network.c: prevent uninitialized use of
>> hostent structure (bb #1003).
>>
>> The bug entry says that after zip file's arriving at clamd, it suddenly
>> dies and nothing can be retrieved thereafter. Clamav developer also
>> comfirms that this happens when MailFollowURLs is enabled.
> 
> Hello,
> 
> I talked to Edwin on #clamav channel. He says this is a rare-case and he 
> thinks that it's a vulnerability rather than a security flaw.

I said that its a bug rather than a security flaw. However you can
assign it a CVE id if you want to.
We didn't treat it as security, because it occurs in a non-default
config (MailFollowURLs), it is not externally controllable, and it
occurs rarely (so far we got 2 reports of this bug).

> 
> Edwin, could you please inform us about important vulnerabilities/security 
> flaws fixed in 0.93.1?

I recommend to use 0.93.1, however if you want to backport parts of
it, these are the most important (from the ChangeLog).
The daily.cfg and dconf changes are important for turning off
vulnerable modules, the rest is self explanatory.

Wed Jun  4 14:18:27 CEST 2008 (tk)
----------------------------------
  * libclamav/petite.c: fix possible invalid memory access (bb#1000)
			Reported by Damian Put

Sat May  3 14:46:41 CEST 2008 (tk)
----------------------------------
* libclamav/readdb.h: read daily.cfg stored inside .cld containers
(bb#1006)

Thu Apr 24 17:44:38 MSD 2008 (tk)
---------------------------------
  * libclamav: scan for embedded PEs inside OLE2 files (bb#914)

Fri Apr 18 13:55:41 EEST 2008 (edwin)
-------------------------------------
  * libclamav/dconf.h: fix flag code assignment (bb #952)

Best regards,
--Edwin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.