Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 06 Dec 2013 21:10:55 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: ClamAV vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/29/2013 06:35 PM, George Theall wrote:
> 
> On Nov 29, 2013, at 12:58 PM, Kurt Seifried <kseifried@...hat.com>
> wrote:
> 
> On 11/29/2013 02:20 AM, Sergey Popov wrote:
>>>> It's a bit late, but i would like to request CVE for two 
>>>> vulnerabilities, that present in ClamAV before 0.97.7[1]:
>>>> 
>>>> 1) A double-free error exists within the 
>>>> "unrar_extract_next_prepare()" function 
>>>> (libclamunrar_iface/unrar_iface.c) when parsing a RAR file.
>>>> 
>>>> 2) An unspecified error within the "wwunpack()" function 
>>>> (libclamav/wwunpack.c) when unpacking a WWPack file can be 
>>>> exploited to corrupt heap memory.
>>>> 
>>>> [1] - https://secunia.com/advisories/52647/
>>>> 
> 
> The blog entry
> 
> http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html
> 
> contains no mention of security flaws,
> 
>> Hrm, at least the copy I see says “ClamAV 0.97.7 addresses
>> several reported potential security bugs.”. While it doesn’t
>> identify the issues per se, it does at least indicate this is a
>> security release.
> 
>> Jan Lieskovsky talked about both of these last March — see
>> <http://seclists.org/oss-sec/2013/q1/672>. The double-free was
>> fixed in this commit :
> 
>> https://github.com/vrtadmin/clamav-devel/commit/b2212def1bb92b5ac45c82da100dc0d1376de6a3
>
>>  and the 'wwunpack()’ issue maps to :
> 
>> https://bugzilla.clamav.net/show_bug.cgi?id=6806
> 
>> Hope that helps,
> 
> 
> Also the ChangeLog:
> 
> https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog
> 
> Doesn't contain any mention of the above flaws. Can you provide
> links to source code/bug reports or something so I can verify this?
> Thanks.

Just a heads up I know at least one person is trying to get details
from SourceFire (they bought ClamAV some time back). Until I can match
issues up I can't assign CVEs.

> George
> 

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSop/OAAoJEBYNRVNeJnmTOl8P/3F+8wBFgC2AHXllbYnPa4ZP
HDYbDCaTsqNQdBdFyZuKuwN7UbnUnXL2HYm+VQrRf6HeMjXj4ghPBasnzwQrHhcR
9wlBvKwDJkn5LRQJItHZ7AG6T3FlkKA2ksFFkzLgKmRgT+aW3TVlj6MJP8uaD5KQ
kivaiXwToPNGz8u/HiDB9DLDBDz+ObImhNQEClmrQkPLUFVGmShkp6UZGVen7MiH
9iCrvtxHQ12fevdXfqOHFuFCtrn6X23Y8uccCWdAZWFx0t8dlhC0loXugIrnL0xv
kxoSsDAMtPWB1FkO31hVSFXlvPSe90Ji7k1Yow9hThncL3qbcWQJ7hR31qVQeEkp
dXBwLAXbi5Bd2zZJvpGtyDfPKJtgzqtXTMQXSeWj2FcSkBqk9sOjn8tCyoCiBNF7
V2ayPrW/PCaVhDsCtwICbbKSnz+M7hIc6ggCK7Ng4QcvBRXkAM6k07+H5S9VBmdu
BowhiVPSjErHUDqL4llHjnfmBS44FatEWkyz13/9nh5+avHAX48vQp8FFm1oqPvc
K/AlfVNFXkp1GF2bb/j7qqkv9J7fTqyIN6zFM8BrDjCb8QZZ98CtAlYnIh4UVTRE
IOEGGVY/2qdYP+p6+1TXeDq83uK7uXve/8Sbg0X8mWe4wGkZIgkx5Ymi5yXgmIr5
WXq9kVEcAGVG3C55rNZX
=1yV3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.