List Info

Thread: VuXML entry for CVE-2008-0318 (libclamav)
VuXML entry for CVE-2008-0318 (libclamav)
country flaguser name
Russian Federation		 2008-02-13 09:38:46 
Good day.

Attached is the draft of the VuXML entry for the new ClamAV
vulnerability.

>From what I had seen and from the comments of the
iDefence
and ClamAV changelog, it seems that the vulnerable Petite
PE
module is really disabled in daily.cfg.  The file has
entries
'PE:0xbfff:13:23' and 'PE:0xdeff:24:25', while
libclamav/dconf.h
has the following:
-----
#define PE_CONF_PETITE            0x100
-----
So, Petite compressor is disabled for f-levels 24 (0.92_sf)
and 25 (0.92).  23 is 0.92rc2 and Petite is enabled for it
and
lower versions down to 13 (0.90).  F-versions were extracted
from
libclamav/others.c, macro variable CL_FLEVEL.

So I had marked only clamav >= 0.92 and < 0.92.1 as
vulnerable.
-- 
Eygene

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
Re: VuXML entry for CVE-2008-0318 (libclamav)
country flaguser name
Russian Federation		 2008-02-14 09:10:37 
Good day.

Wed, Feb 13, 2008 at 06:38:46PM +0300, Eygene Ryabinkin
wrote:
> Attached is the draft of the VuXML entry for the new
ClamAV
> vulnerability.

As pointed to me by Remko Lodder, the attachment was
stripped.
Resending it inline.

Remko, thanks again for pointing me to this pity fact!

-----
  <vuln vid="unknown">
    <topic>clamav -- ClamAV libclamav PE File Integer
Overflow Vulnerability</topic>
    <affects>
      <package>
	<name>clamav</name>
	<range><ge>0.92</ge><lt>0.92.1</
lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.
org/1999/xhtml">
	<p>iDefense Security Advisory 02.12.08:</p>
	<blockquote cite="http://labs.idefense.com/intel
ligence/vulnerabilities/display.php?id=658">
	  <p>Remote exploitation of an integer overflow
vulnerability
	  in Clam AntiVirus' ClamAV, as included in various
vendors'
	  operating system distributions, allows attackers to
execute
	  arbitrary code with the privileges of the affected
process.</p>
	  <p>The vulnerability exists within the code
responsible
	  for parsing and scanning PE files. While iterating
through
	  all sections contained in the PE file, several attacker
	  controlled values are extracted from the file. On each
iteration,
	  arithmetic operations are performed without taking into
	  consideration 32-bit integer wrap.</p>
	  <p>Since insufficient integer overflow checks are
present,
	  an attacker can cause a heap overflow by causing a
specially
	  crafted Petite packed PE binary to be scanned. This
results
	  in an exploitable memory corruption condition.</p>
	  <p>Exploitation of this vulnerability results in
the
	  execution of arbitrary code with the privileges of the
process
	  using libclamav. In the case of the clamd program, this
will
	  result in code execution with the privileges of the
clamav user.
	  Unsuccessful exploitation results in the clamd process
crashing.</p>
	</blockquote>
	<h1>Workaround</h1>
	<p>Disabling the scanning of PE files will prevent
exploitation.</p>
	<p>If using clamscan, this can be done by running
clamscan with the
	'--no-pe' option.</p>
	<p>If using clamdscan, set the 'ScanPE' option in the
clamd.conf
	file to 'no'.</p>
	<h1>Vendor response</h1>
	<p>The ClamAV team has addressed this vulnerability
within
	version 0.92.1.  Additionally, the ClamAV team reports,
	"the vulnerable module was remotely disabled via
virus-db
	update on Jan 11th 2008."</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-0318</cvename>
      <url>http://labs.idefense.com/int
elligence/vulnerabilities/display.php?id=658</url>

      <url>http://svn.clamav.net/svn/clamav-devel/trunk/C
hangeLog</url>
    </references>
    <dates>
      <discovery>2008-01-07</discovery>
    </dates>
  </vuln>
-----
-- 
Eygene
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
Re: VuXML entry for CVE-2008-0318 (libclamav)
country flaguser name
Netherlands		 2008-02-15 04:24:26 
On Thu, February 14, 2008 4:10 pm, Eygene Ryabinkin wrote:
> Good day.
>
> Wed, Feb 13, 2008 at 06:38:46PM +0300, Eygene Ryabinkin
wrote:
>> Attached is the draft of the VuXML entry for the
new ClamAV
>> vulnerability.
>
> As pointed to me by Remko Lodder, the attachment was
stripped.
> Resending it inline.
>
> Remko, thanks again for pointing me to this pity fact!
>

Hey,

I had processed it to VuXML just minutes ago, thanks for
your submission!
(no worries about the stripped attachement!) it's greatly
appreciated!

Cheers
remko

-- 
/"   Best regards,                      | remkoFreeBSD.org
 /   Remko Lodder                       | remkoEFnet
 X    http://www.evilcoder.org/          |
/    ASCII Ribbon Campaign              | Against HTML Mail
and News


_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
Re: VuXML entry for CVE-2008-0318 (libclamav)
country flaguser name
Russian Federation		 2008-02-15 09:40:29 
Remko, good day.

Fri, Feb 15, 2008 at 11:24:26AM +0100, Remko Lodder wrote:
> I had processed it to VuXML just minutes ago, thanks
for your submission!
> (no worries about the stripped attachement!) it's
greatly appreciated!

Thank you very much!
-- 
Eygene
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )