Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 17 Feb 2015 21:52:32 +0100
From: Sebastian Andrzej Siewior <cve-announce@...breakpoint.cc>
To: oss-security@...ts.openwall.com
Cc: lcamtuf@...edump.cx
Subject: CVE-2014-9328: clamav: special crafted upack files may lead to
 segfault

upack is a tool for compressing .exe (.dll and such) files under
windows. clamav [0] is a virus scanning tool which is able to unpack
such files during scanning.

A handcrafted file could lead the de-compressor to access beyond bounds
leading to crash. This has been fixed via [1] and is part of the current
(0.96.6) release.

This bug has been discovered by AFL [2], american fuzzy lop.

[0] http://www.clamav.net/
[1] https://github.com/vrtadmin/clamav-devel/commit/5e1fbf3668bd167828d675830103b3c1ccdcb76d
[2] http://lcamtuf.coredump.cx/afl/

Sebastian

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ