[PLSA 2008-39] Clamav: Multiple Vulnerabilities

[Pınar Yanardağ <pinar () pardus org tr>]

------------------------------------------------------------------------
Pardus Linux Security Advisory 2008-39            security () pardus org tr
------------------------------------------------------------------------
       Date: 2008-09-06
   Severity: 3
       Type: Remote
------------------------------------------------------------------------

Summary
=======

There has been discovered multiple vulnerabilities in Clamav including a
DoS (Denial of Service) vulnerability and memory leaks.


Description
===========

The   first vulnerability   is   caused   due   to   an   error    in
libclamav/chmunpack.c when processing malformed CHM files. This can  be
exploited to cause an invalid memory access via a specially crafted CHM
file.


Others as follow:

* Out-of-memory null dereference (bb#1141) CVE-2008-3912

* Possible invalid memory access (bb#1089) CVE-2008-1389

* Error path memory leaks CVE-2008-3913

* Fd leaks (bb#1141) CVE-2008-3914


Affected packages:

   Pardus 2008:
     clamav, all before 0.93.3-28-2
   Pardus 2007:
     clamav, all before 0.93.3-30-29


Resolution
==========

There are update(s) for clamav. You can update them via Package Manager
or with a single command from console:

   Pardus 2008:
     pisi up clamav

   Pardus 2007:
     pisi up clamav


References
==========

   * http://bugs.pardus.org.tr/show_bug.cgi?id=8110
   * http://int21.de/cve/CVE-2008-1389-clamav-chd.html
   * http://secunia.com/advisories/31725

------------------------------------------------------------------------

-- 
Pınar Yanardağ
Pardus Security Team
http://security.pardus.org.tr


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/