Debian Security Advisory
DSA-1680-1 clamav -- buffer overflow, stack consumption
- Date Reported:
- 04 Dec 2008
- Affected Packages:
- clamav
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 505134, Bug 507624.
In Mitre's CVE dictionary: CVE-2008-5050, CVE-2008-5314. - More information:
-
Moritz Jodeit discovered that ClamAV, an anti-virus solution, suffers from an off-by-one-error in its VBA project file processing, leading to a heap-based buffer overflow and potentially arbitrary code execution (CVE-2008-5050).
Ilja van Sprundel discovered that ClamAV contains a denial of service condition in its JPEG file processing because it does not limit the recursion depth when processing JPEG thumbnails (CVE-2008-5314).
For the stable distribution (etch), these problems have been fixed in version 0.90.1dfsg-4etch16.
For the unstable distribution (sid), these problems have been fixed in version 0.94.dfsg.2-1.
The testing distribution (lenny) will be fixed soon.
We recommend that you upgrade your clamav packages.
- Fixed in:
-
Debian GNU/Linux 4.0 (etch)
- Source:
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg.orig.tar.gz
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16.dsc
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16.diff.gz
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16.dsc
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.90.1dfsg-4etch16_all.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.90.1dfsg-4etch16_all.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.90.1dfsg-4etch16_all.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.90.1dfsg-4etch16_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_alpha.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_alpha.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_alpha.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_alpha.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_alpha.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_alpha.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_alpha.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_amd64.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_amd64.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_amd64.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_amd64.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_amd64.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_amd64.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_amd64.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_amd64.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_hppa.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_hppa.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_hppa.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_hppa.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_hppa.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_hppa.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_hppa.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_i386.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_i386.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_i386.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_i386.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_i386.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_i386.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_i386.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_ia64.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_ia64.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_ia64.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_ia64.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_ia64.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_ia64.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_ia64.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_mips.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_mips.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_mips.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_mips.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_mips.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_mips.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_mips.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_mips.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_powerpc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_powerpc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_powerpc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_powerpc.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_powerpc.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_powerpc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_powerpc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_s390.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_s390.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_s390.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_s390.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_s390.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_s390.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_s390.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-4etch16_sparc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_sparc.deb
- http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-4etch16_sparc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-4etch16_sparc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-4etch16_sparc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-4etch16_sparc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-4etch16_sparc.deb
- http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-4etch16_sparc.deb
MD5 checksums of the listed files are available in the original advisory.