oss-sec mailing list archives
Re: CVE id request: Clamav
From: Török Edwin <edwin () clamav net>
Date: Tue, 17 Jun 2008 22:52:31 +0300
Eren Türkay wrote:
On 17 Jun 2008 Tue 10:38:13 Eren Türkay wrote:* libclamav/mbox.c, shared/network.c: prevent uninitialized use of hostent structure (bb #1003). The bug entry says that after zip file's arriving at clamd, it suddenly dies and nothing can be retrieved thereafter. Clamav developer also comfirms that this happens when MailFollowURLs is enabled.Hello, I talked to Edwin on #clamav channel. He says this is a rare-case and he thinks that it's a vulnerability rather than a security flaw.
I said that its a bug rather than a security flaw. However you can assign it a CVE id if you want to. We didn't treat it as security, because it occurs in a non-default config (MailFollowURLs), it is not externally controllable, and it occurs rarely (so far we got 2 reports of this bug).
Edwin, could you please inform us about important vulnerabilities/security flaws fixed in 0.93.1?
I recommend to use 0.93.1, however if you want to backport parts of it, these are the most important (from the ChangeLog). The daily.cfg and dconf changes are important for turning off vulnerable modules, the rest is self explanatory. Wed Jun 4 14:18:27 CEST 2008 (tk) ---------------------------------- * libclamav/petite.c: fix possible invalid memory access (bb#1000) Reported by Damian Put Sat May 3 14:46:41 CEST 2008 (tk) ---------------------------------- * libclamav/readdb.h: read daily.cfg stored inside .cld containers (bb#1006) Thu Apr 24 17:44:38 MSD 2008 (tk) --------------------------------- * libclamav: scan for embedded PEs inside OLE2 files (bb#914) Fri Apr 18 13:55:41 EEST 2008 (edwin) ------------------------------------- * libclamav/dconf.h: fix flag code assignment (bb #952) Best regards, --Edwin
Current thread:
- CVE id request: Clamav Steffen Joeris (Jun 15)
- Re: CVE id request: Clamav Tomas Hoger (Jun 16)
- Re: CVE id request: Clamav Steven M. Christey (Jun 16)
- Re: CVE id request: Clamav Eren Türkay (Jun 17)
- Re: CVE id request: Clamav Eren Türkay (Jun 17)
- Re: CVE id request: Clamav Török Edwin (Jun 17)
- Re: CVE id request: Clamav Eren Türkay (Jun 17)