|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2005-2070: clamav 0.86.1 | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Reinhard Max <max> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | VERIFIED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P5 - None | CC: | aj, ast, gp, hmuelle, mhoppe, ro, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | CVE-2005-2070: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) | ||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
The packages from mbuild are now also available for external testing on ftp://ftp.suse.com/pub/projects/clamav/clamav-0.86 . Tonight ClamAV 0.86.1 has been released which fixes a possible crash in one of the decompressor routines. Because this is a security fix, the ClamAV has decided to not delay the freshclam warinings with this release, so we should react quickly this time. aj, gp? need update approval for SLES and BOX Okay for SLES. Timing is a bit tight -- do you want to sneak this into SLES9 SP2 RC4 tomorrow? (That is scheduled for public release in about ten days.) This is a bit too late with necessary testing. So just regular maintenance update I think. needinfo AJ for box approval It has been tested on my own 9.1-based email server over the weekend, but I don't know if the load-testing on scanhost has been done yet. Wolfgang? Approved for professional. Packages submitted for SLES9/9.1, 9.2, and 9.3. (In reply to comment #7) > It has been tested on my own 9.1-based email server over the weekend, but I > don't know if the load-testing on scanhost has been done yet. > > Wolfgang? Why Wolfgang? Wolfgang is not responsible for our mailsystem ... I will test the package on our "scanhost". Whoops, sorry -- I've confused the two of you. Thanks for testing! You submitted this for SLES9, not for SLES9-SP2. In any case we can release this in about 9 days, when we release SLES9-SP2, either as part of or after SLES9-SP2 (current the latter). (In reply to comment #11) Seems to work without problems. Letting this wait another 9 days is way too long, IMHO. It fixes a remote DoS vulnerability and should therefoe be released ASAP. feel free to do it either in SP2 or in the SLES9 branch directly... SWAMP-ID is 1661 Sorry, SWAMP-ID is 1010 (sp2) and 1661 for BOX Gerald, Ralf and I decided to push this out ASAP to get it - out to the customers - on SP2 since the next window for the release of this would be in 9 days earliest. updates released, adviusory released Thanks! From: Michael Stone <mstone@debian.org> To: vendor-sec@lst.de Mail-Followup-To: vendor-sec@lst.de User-Agent: Mutt/1.5.9i Subject: [vendor-sec] clamav Errors-To: vendor-sec-admin@lst.de Date: Fri, 01 Jul 2005 11:28:18 -0400 I haven't seen any discussion of clamav yet. I'm still trying to figure out exactly what the status is, here's a snapshot of what we've got: ----- Forwarded message from Andreas Barth <aba@not.so.argh.org> ----- From: Andreas Barth <aba@not.so.argh.org> To: Stephen Gran <sgran@debian.org> Cc: team@security.debian.org Subject: Re: ClamAV remote DoS bugs * Andreas Barth (aba@not.so.argh.org) [050701 16:00]: >| The new version fixes - AFAIK - these security bugs: >| CAN-2005-2056: libclamav/mspack/cabd.c: fix possible infinite loop >| CAN-2005-2070: potential DoS to the sendmail interface in clamav-milter >| <unassigned> : libclamav/cvd.c: fix potential directory traversal in cvd >| unpacker There are two more CAN IDs Michael gave me: CAN-2005-1922: libclamav/scanners.c: fix potential remote DoS CAN-2005-1923: libclamav/mspack/mszipd.c: fix possible infinite loop On closer looking into the upstream changelog, I saw these fixes: | V 0.86.1 | * Fixes backported from CVS: | - libclamav/mspack/qtmd.c: fix possible crash (tk) | Reported by Andrew Toller <atoller*connectfree.co.uk> | and Stefan Kanthak <stefan.kanthak*fujitsu-siemens.com> Is there an id for it? | V 0.86 | * Fixes backported from CVS: | - libclamav/mspack/cabd.c: fix possible infinite loop (tk) CAN-2005-2056 | - libclamav/cvd.c: fix potential directory traversal in cvd unpacker (a low | risk problem since all databases are digitally signed). Pointed out by | Florian Weimer <fw*deneb.enyo.de> (tk) see above - upstream seems to be aware. :) | - clamav-milter: When loading a new database when not in external mode, | keep scanning with the old one rather than hold up incoming mails while | waiting for clamav-milter to become idle then reloading the database (njh) that is probably CAN-2005-2070 ... | - libclamav/scanners.c: fix file descriptor leaks if cli_msexpand() returns | an error in cli_scanszdd, patch by Mark Pizzolato (tk) | - libclamav/scanners.c: fix file descriptor leak in error path (out of mem) | in cli_scangzip(), patch by Mark Pizzolato (tk) both together seems to be CAN-2005-1922 | - libclamav/message.c: Fixed a problem where an email with more than one | content-disposition type line, one or more of which was empty, could | crash libclamav. Reported by Daniel Theodoro <dtheodoro at ig.com.br> | (njh) what's that? I didn't found CAN-2005-1923 in the Changelog (and also not the word mszipd). _______________________________________________ Vendor Security mailing list CVE-2005-2070: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
ClamAV 0.86 was released today. This is the list of changes since version 0.85.1: --- snip --- * Fixes backported from CVS: - libclamav/mspack/cabd.c: fix possible infinite loop (tk) - libclamav/cvd.c: fix potential directory traversal in cvd unpacker (a low risk problem since all databases are digitally signed). Pointed out by Florian Weimer <fw*deneb.enyo.de> (tk) - libclamav/zziplib/zzip-file.c: add method id for AES encrypted archives (thanks to David Majorel <dm*lagoon.nc>) (tk) - clamscan/manager.c: better message on zip/rar unpacking error (tk) - libclamav/mbox.c: Fix mishandling of fast track uuencoded files (njh) - clamav-milter: Better error message if the white-list file can't be opened (njh) - clamav-milter: When loading a new database when not in external mode, keep scanning with the old one rather than hold up incoming mails while waiting for clamav-milter to become idle then reloading the database (njh) - libclamav/others.c: print warnings and errors in single call to write (thanks to Denis Vlasenko <vda*ilport.com.ua>) (tk) - clamscan/others.c: enable REG_EXTENDED in match_regex (tk) - libclamav/scanners.c: fix file descriptor leaks if cli_msexpand() returns an error in cli_scanszdd, patch by Mark Pizzolato (tk) - libclamav/scanners.c: fix file descriptor leak in error path (out of mem) in cli_scangzip(), patch by Mark Pizzolato (tk) - clamd/scanner.c: fix error path for a read timeout which logged messages indicating that both a timeout and a poll error occurred (patch by Mark Pizzolato <clamav-devel*subscriptions.pizzolato.net>) (tk) - libclamav: Extract TNEF files even when the filename isn't known, problem reported by John Miller (contact*glideslopesoftware.co.uk) (njh) --- snap --- I think the fixed file descriptor leaks and infinite loop make it worth updating SLES and boxes, along with the fact that this version allows more kinds of archives to be scanned. Wolfgang, mbuild is running, and packages for testing on scanhost will shortly be avaiable uunder /work/built/mbuild/nitsch-max-3 . Ralf, Gerald, Andreas, please approve and and assign back to me.