Date: Tue, 15 Apr 2008 12:07:43 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com, coley@...re.org Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: clamav: Endless loop / hang with crafter arj, CVE-2008-1387 Advisory published at: http://int21.de/cve/CVE-2008-1387-clamav.html clamav: Endless loop / hang with crafter arj, CVE-2008-1387 References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1387 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html Description CERT-FI published an advisory with a large number of samples of crafted archives. The file with the md5sum b6046d890e6bd304e3756c88b989559a (named b6046d890e6bd304e3756c88b989559a.arj) hangs clamav with high load. If you're running clamav on a mailserver, an attacker can DoS your Server remotely by sending some mails with the archive attached. Workaround/Fix clamav 0.93 fixes this issue beside other security issues, if you're running clamav you should upgrade as soon as possible. Disclosure Timeline 2008-03-17 CERT-FI publishes advisory 2008-03-26 Vendor contacted 2008-03-27 Vendor approves issue 2008-04-14 Vendor releases 0.93 2008-04-16 Advisory published CVE Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1387 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed under the creative commons attribution license. Hanno Boeck, 2008-04-16, http://www.hboeck.de -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno@...eck.de Download attachment "signature.asc " of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.