Debian-Sicherheitsankündigung

DSA-1616-2 clamav -- Diensteverweigerung

Datum des Berichts:
26. Jul 2008
Betroffene Pakete:
clamav
Verwundbar:
Ja
Sicherheitsdatenbanken-Referenzen:
In der Debian-Fehlerdatenbank: Fehler 490925.
In Mitres CVE-Verzeichnis: CVE-2008-2713, CVE-2008-3215.
Weitere Informationen:

Damian Put hat eine Verwundbarkeit im ClamAV Anti-Virus-Toolkit während des Einlesens von Petite-gepackten ausführbaren Win32-Dateien entdeckt. Diese Schwachstelle führt zu einem ungültigen Speicherzugriff und könnte es einem Angreifer ermöglichen, ClamAV zum Absturz zu bringen, indem er eine bösartig vorbereitete Petite-gepackte Datei zum Scannen ausliefert. Bei einigen Konfigurationen, so zum Beispiel wenn ClamAV in Kombination mit einem E-Mail-Server eingesetzt wird, kann dies bei einem System zu einem fail open führen, was einen anschließenden Viren-Angriff erleichtert.

In einer vorausgegangenen Version dieser Ankündigung, wurde auf Pakete Bezug genommen, die nicht korrekt gebaut wurden und denen die gewünschte Korrektur fehlte. Dieses Problem wurde bei den Pakten korrigiert, auf die in Version -2 der Ankündigung Bezug genommen wird.

Das Common Vulnerabilities and Exposures-Projekt hat diese Schwachstellen als CVE-2008-2713 und CVE-2008-3215 identifiziert.

Für die Stable-Distribution (Etch) wurde dieses Problem in Version 0.90.1dfsg-3.1+etch14 behoben.

Für die Unstable-Distribution (Sid) wurde dieses Problem in Version 0.93.1.dfsg-1.1 behoben.

Wir empfehlen Ihnen, Ihre clamav-Pakete zu aktualisieren.

Behoben in:

Debian GNU/Linux 4.0 (etch)

Quellcode:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg.orig.tar.gz
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14.diff.gz
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14.dsc
Architektur-unabhängige Dateien:
http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.90.1dfsg-3.1+etch14_all.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.90.1dfsg-3.1+etch14_all.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.90.1dfsg-3.1+etch14_all.deb
Alpha:
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_alpha.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_amd64.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_arm.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_hppa.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_i386.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_ia64.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_mips.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_mipsel.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_powerpc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_s390.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_sparc.deb
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_sparc.deb

MD5-Prüfsummen der aufgeführten Dateien stehen in der ursprünglichen Sicherheitsankündigung zur Verfügung.