Re: CVE request: ClamAV vulnerabilities

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/29/2013 02:20 AM, Sergey Popov wrote:
> It's a bit late, but i would like to request CVE for two 
> vulnerabilities, that present in ClamAV before 0.97.7[1]:
>
> 1) A double-free error exists within the
> "unrar_extract_next_prepare()" function
> (libclamunrar_iface/unrar_iface.c) when parsing a RAR file.
>
> 2) An unspecified error within the "wwunpack()" function 
> (libclamav/wwunpack.c) when unpacking a WWPack file can be
> exploited to corrupt heap memory.
>
> [1] - https://secunia.com/advisories/52647/

The blog entry

http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html

contains no mention of security flaws,

Also the ChangeLog:

https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog

Doesn't contain any mention of the above flaws. Can you provide links
to source code/bug reports or something so I can verify this? Thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSmNWsAAoJEBYNRVNeJnmThXsP/jeOtL/zWdpxvSX6JEDw0OPj
jhOr77n6thgze2U/wAnzqJNYrVu9zgbXo7PeIursWztKWOky90TZsVaYjsiCgQ0N
iDo6WfG4h2Ee0b0L6MLTyADx9LCvYwdLcnjVOgzgAaQDirSTU0nc7oUdkMixTOXR
xn6HEnGBxhw7o9xZbGWJL9fLxGrqnSvMowpTiH+qG1oiC7ShUvdI/k+5Fr2adX1E
47gz+dZazGdj39u2aryXA3uRA1PFMFm5zVJcPz6Vuv0tZlZVWh1dA2OMeOSZdok4
q8pd6WYiXDJdIWq9hpGwyR70GrJg0gsE8Dhw6KVtGu2V61BdX0dLxqnT5zhxxmFY
DdyeFLkPTsEDUUj7wj7mciEgwXgUT2aiHrhXD6m9t+FvmU6MFD18HH0y7uD3vACU
OBvOExWqcV/8rWmA3+VTAvgLXFCmVfNca6NP/d5oAnmeJRTGvBnyIGQwB95ozSbs
fo0OvTm45CPzJVyiEX/7P1S73qLgnWV4Y0FLNg4mj5Qs2GkMs+LVGFxGOKr5XKed
MdIk7Fa+xNMwI/qzJEYdA0xK1WPeDrwt5fpxJFoMjKqwF6jImmgUuQMZ5bvC0sqY
bVTUzww4iPBvdY75yGH9F4BHacw+kw7MI9WUo9SJ32n047NB+UViRpAtvhshV6na
bRvHsNYzqwUdW8msUh+0
=MZ61
-----END PGP SIGNATURE-----