Debians sikkerhedsbulletin

DSA-887-1 clamav -- flere sårbarheder

Rapporteret den:
7. nov 2005
Berørte pakker:
clamav
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2005-3239, CVE-2005-3303, CVE-2005-3500, CVE-2005-3501.
Yderligere oplysninger:

Flere sårbarheder er opdaget i Clam AntiVirus, antivirus-scanneren til Unix, som er designet til at blive integreret med mailservere for at kunne udføre scanning af vedhæftede filer. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:

  • CVE-2005-3239

    OLE2-udpakkeren tillod at fjernangribere kunne forårsage en segmenteringsfejl via DOC-filer med et ugyldigt egenskabstræ, hvilket iværksatte en uendelig løkke.

  • CVE-2005-3303

    En særligt fremstillet udførbar fil komprimeret med FSG 1.33, kunne forårsage at udpakkeren skrev ud over buffergrænser, hvilket gjorde det muligt for en angriber at udføre vilkårlig kode.

  • CVE-2005-3500

    En særligt fremstillet CAB-fil kunne få ClamAV til at gå i en uendelig løkke, og anvende alle tilgængelige processorressourcer, medførende et lammelsesangreb (denial of service).

  • CVE-2005-3501

    En særligt fremstillet CAB-fil kunne få ClamAV til at gå i en uendelig løkke, og anvende alle tilgængelige processorressourcer, medførende et lammelsesangreb (denial of service).

Den gamle stabile distribution (woody) indeholder ikke clamav-pakker.

I den stabile distribution (sarge) er disse problemer rettet i version 0.84-2.sarge.6.

I den ustabile distribution (sid) er disse problemer rettet i version 0.87.1-1.

Vi anbefaler at du opgraderer dine clamav-pakker.

Rettet i:

Debian GNU/Linux 3.1 (sarge)

Kildekode:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6.dsc
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6.diff.gz
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.84-2.sarge.6_all.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.84-2.sarge.6_all.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.84-2.sarge.6_all.deb
Alpha:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_m68k.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_m68k.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_m68k.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_m68k.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_m68k.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.