Aviso de seguridad de Debian

DSA-887-1 clamav -- varias vulnerabilidades

Fecha del informe:

7 de nov de 2005

Paquetes afectados:

clamav

Vulnerable:

Sí

Referencias a bases de datos de seguridad:

En el diccionario CVE de Mitre: CVE-2005-3239, CVE-2005-3303, CVE-2005-3500, CVE-2005-3501.

Información adicional:

Se han descubierto varias vulnerabilidades en Clam AntiVirus, el analizador antivirus para Unix, diseñado para integrarse con los servidores de correo y para realizar el análisis de los adjuntos de correo. El proyecto Common Vulnerabilities and Exposures identifica los siguientes problemas:

CVE-2005-3239
El desempaquetador OLE2 permitía que los atacantes provocasen un fallo de segmentación mediante un archivo DOC con un árbol de propiedades no válido, que produciría una recursión infinita.
CVE-2005-3303
Un ejecutable modificado y compilado con FSG 1.33 podía provocar que el extractor escribiese más allá de los límites del buffer, permitiendo que un atacante ejecutase código arbitrario.
CVE-2005-3500
Un archivo CAB modificado podía provocar que ClamAV se bloquease en un bucle infinito y que usara todos los recursos del procesador, provocando una denegación de servicio.
CVE-2005-3501
Un archivo CAB modificado podía provocar que ClamAV se bloquease en un bucle infinito y que usara todos los recursos del procesador, provocando una denegación de servicio.

La distribución estable anterior (woody) no contiene los paquetes de clamav.

Para la distribución estable (sarge), estos problemas se han corregido en la versión 0.84-2.sarge.6.

Para la distribución inestable (sid), estos problemas se han corregido en la versión 0.87.1-1.

Le recomendamos que actualice los paquetes de clamav.

Arreglado en:

Debian GNU/Linux 3.1 (sarge)

Fuentes:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6.dsc; http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6.diff.gz; http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84.orig.tar.gz
Componentes independientes de la arquitectura:: http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.84-2.sarge.6_all.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.84-2.sarge.6_all.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.84-2.sarge.6_all.deb
Alpha:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_alpha.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_alpha.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_alpha.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_alpha.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_alpha.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_amd64.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_amd64.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_amd64.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_amd64.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_amd64.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_arm.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_arm.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_arm.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_arm.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_arm.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_i386.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_i386.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_i386.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_i386.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_i386.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_ia64.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_ia64.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_ia64.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_ia64.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_ia64.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_hppa.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_hppa.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_hppa.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_hppa.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_hppa.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_m68k.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_m68k.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_m68k.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_m68k.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_m68k.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_mips.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_mips.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_mips.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_mips.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_mips.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_mipsel.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_mipsel.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_mipsel.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_mipsel.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_mipsel.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_powerpc.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_powerpc.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_powerpc.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_powerpc.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_powerpc.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_s390.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_s390.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_s390.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_s390.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_s390.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.6_sparc.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.6_sparc.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.6_sparc.deb; http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.6_sparc.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.6_sparc.deb; http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.6_sparc.deb

Las sumas MD5 de los ficheros que se listan están disponibles en el aviso original.