oss-sec mailing list archives
Re: CVE id request: Clamav
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 15 Jul 2008 09:21:40 +0200
On Tue, 8 Jul 2008 15:42:33 +0200 Tomas Hoger <thoger () redhat com> wrote:
The upstream changelog says: * libclamav/petite.c: fix possible invalid memory access (bb#1000) Reported by Damian PutFor the sake of CVE description completeness, I'm adding that it's from the clamav 0.93.1 changelog.
[ ... ]
Btw, following is mentioned in the 0.93.2 changelog: Thu Jul 3 16:15:23 CEST 2008 ----------------------------- * libclamav/petite.c: fix another out of bounds memory read (bb#1000) Reported by Secunia (CVE-2008-2713) Referring to the same bug as before, which is now restricted (was it publicly accessible before?).
Upstream bug report is no longer restricted and mentions original fix was incomplete: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1000#c4 Steven, this seems to deserve a CVE id as an incomplete fix for CVE-2008-2713. [ ... ]
The fix does not even seem to be committed in the public clamav SVN (either trunk or 0.93 branch).
Change now committed as: http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=/branches/0.93/libclamav/ petite.c&rev=3920 -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Re: CVE id request: Clamav Tomas Hoger (Jul 08)
- Re: CVE id request: Clamav Tomas Hoger (Jul 15)
- Re: CVE id request: Clamav Steven M. Christey (Jul 18)