Lucene search

K
certCERTVU:363713
HistorySep 27, 2005 - 12:00 a.m.

Clam AntiVirus contains a buffer overflow vulnerability

2005-09-2700:00:00
www.kb.cert.org
6

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.331 Low

EPSS

Percentile

96.9%

Overview

A buffer overflow in Clam AntiVirus (ClamAV) may allow a remote attacker to execute arbitrary code.

Description

Clam AntiVirus is a UNIX-based, anti-virus toolkit often deployed with mail servers to detect malicious attachments. A signedness error in ClamAV (libclamav/upx.c) may allow a buffer overflow to occur. If a remote attacker sends a specially crafted UPX-packed executable to a vulnerable ClamAV installation, that attacker may be able to trigger the buffer overflow.


Impact

A remote attacker may be able to execute arbitrary code with the privileges of the application linked to the ClamAV process. In addition, this vulnerability may prevent ClamAV from detecting malicious UPX-packed executables.


Solution

Upgrade

This issue was corrected in ClamAV 0.87.


Do not access UPX-packed executables from untrusted sources

Exploitation occurs by via specially crafted UPX-packed executables. By only accessing UPX-packed executables from trusted or known sources, the chances of exploitation are reduced.


Vendor Information

363713

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Clam AntiVirus Affected

Updated: October 20, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian Linux __ Affected

Notified: September 27, 2005 Updated: November 03, 2005

Status

Affected

Vendor Statement

The old stable distribution (woody) does not contain ClamAV packages.

For the stable distribution (sarge) this problem has been fixed in version 0.84-2.sarge.4.

For the unstable distribution (sid) this problem has been fixed in version 0.87-1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc. __ Affected

Notified: October 21, 2005 Updated: October 24, 2005

Status

Affected

Vendor Statement

Clam AntiVirus is available in the FreeBSD Ports Collection. Please see

<http://vuxml.freebsd.org/271498a9-2cd4-11da-a263-0001020eed82.html&gt;

for details regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc. __ Affected

Notified: September 27, 2005 Updated: September 28, 2005

Status

Affected

Vendor Statement

This was addressed in MDKSA-2005:166, which provided clamav 0.87 to all supported versions of Mandriva Linux.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

From MKDSA-2005:166

`Mandriva Linux Security Update Advisory


Package name: clamav
Advisory ID: MDKSA-2005:166
Date: September 20th, 2005

Affected versions: 10.1, 10.2, Corporate 3.0


Problem Description:

A vulnerability was discovered in ClamAV versions prior to 0.87. A
buffer overflow could occure when processing malformed UPX-packed
executables. As well, it could be sent into an infinite loop when
processing specially-crafted FSG-packed executables.

ClamAV version 0.87 is provided with this update which isn’t vulnerable
to these issues.


References:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2919&gt;
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2920&gt;


Updated Packages:

Mandrakelinux 10.1:
9f85320efe6a337ae46db08b53e0eaba 10.1/RPMS/clamav-0.87-0.1.101mdk.i586.rpm
083a4c5972e960c2a47e598c4626506b 10.1/RPMS/clamav-db-0.87-0.1.101mdk.i586.rpm
c3f10bb7176e61dcded0cee084fd2d24 10.1/RPMS/clamav-milter-0.87-0.1.101mdk.i586.rpm
990c343c993bf7bf44046e773faa9f84 10.1/RPMS/clamd-0.87-0.1.101mdk.i586.rpm
6c67cc650a9808ac1bd95fc7a1d4017a 10.1/RPMS/libclamav1-0.87-0.1.101mdk.i586.rpm
213a5145796b74cf65c983a482072455 10.1/RPMS/libclamav1-devel-0.87-0.1.101mdk.i586.rpm
2d75e236b21dbe8000a7c4b1be93217b 10.1/SRPMS/clamav-0.87-0.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
ef22edfa1aa4502f08000e050de5d36f x86_64/10.1/RPMS/clamav-0.87-0.1.101mdk.x86_64.rpm
e33da1b6f6bcd366801a5e80eeb7c723 x86_64/10.1/RPMS/clamav-db-0.87-0.1.101mdk.x86_64.rpm
04c621676e2832c400c0dda74a498d49 x86_64/10.1/RPMS/clamav-milter-0.87-0.1.101mdk.x86_64.rpm
da9cc77846812a4b34cb8250157d50b1 x86_64/10.1/RPMS/clamd-0.87-0.1.101mdk.x86_64.rpm
950f3adbe1fec12c9792f6c947b7cb76 x86_64/10.1/RPMS/lib64clamav1-0.87-0.1.101mdk.x86_64.rpm
6e53ad5c6d61a9ee3356d919b6589026 x86_64/10.1/RPMS/lib64clamav1-devel-0.87-0.1.101mdk.x86_64.rpm
2d75e236b21dbe8000a7c4b1be93217b x86_64/10.1/SRPMS/clamav-0.87-0.1.101mdk.src.rpm

Mandrakelinux 10.2:
bc2e4234b78790c9b0c5a5efcb15ba98 10.2/RPMS/clamav-0.87-0.1.102mdk.i586.rpm
0a99f74d25235e793a6fe05a56d79f7a 10.2/RPMS/clamav-db-0.87-0.1.102mdk.i586.rpm
b7d275ba651524cc4e3ce5cfacb842e3 10.2/RPMS/clamav-milter-0.87-0.1.102mdk.i586.rpm
c6862f992a927151d1c4c511cb874e0a 10.2/RPMS/clamd-0.87-0.1.102mdk.i586.rpm
303aeaa4d2a5de29f3cc5b0cdc539ab3 10.2/RPMS/libclamav1-0.87-0.1.102mdk.i586.rpm
bcef24beead553b0b7af6a0454365384 10.2/RPMS/libclamav1-devel-0.87-0.1.102mdk.i586.rpm
96e1ce9dffda8199bf1b583bc2d51e60 10.2/SRPMS/clamav-0.87-0.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
fc09b5328e536f426f6edaac04453ca2 x86_64/10.2/RPMS/clamav-0.87-0.1.102mdk.x86_64.rpm
f27bc62247ff84975019f8ed3d6ea5b1 x86_64/10.2/RPMS/clamav-db-0.87-0.1.102mdk.x86_64.rpm
c9fb726280f84da9dd32e30542c29fcd x86_64/10.2/RPMS/clamav-milter-0.87-0.1.102mdk.x86_64.rpm
193644891c29c2973931c01a56e68d60 x86_64/10.2/RPMS/clamd-0.87-0.1.102mdk.x86_64.rpm
9568649a618f654600d78b71027174c9 x86_64/10.2/RPMS/lib64clamav1-0.87-0.1.102mdk.x86_64.rpm
6b54a7ac2e8d743e067bfdaa7638d90f x86_64/10.2/RPMS/lib64clamav1-devel-0.87-0.1.102mdk.x86_64.rpm
96e1ce9dffda8199bf1b583bc2d51e60 x86_64/10.2/SRPMS/clamav-0.87-0.1.102mdk.src.rpm

Corporate 3.0:
f86de5b6055236c9cd1ff173bc6c1d98 corporate/3.0/RPMS/clamav-0.87-0.1.C30mdk.i586.rpm
07071df1c078079e4b7d55f5fa13c7c8 corporate/3.0/RPMS/clamav-db-0.87-0.1.C30mdk.i586.rpm
c96f4eb3cfd2ffb9060961e39c109204 corporate/3.0/RPMS/clamav-milter-0.87-0.1.C30mdk.i586.rpm
2445d80ee9c39b337da36554315b9ac1 corporate/3.0/RPMS/clamd-0.87-0.1.C30mdk.i586.rpm
196a1254be8dce937e17d4b731c5ec19 corporate/3.0/RPMS/libclamav1-0.87-0.1.C30mdk.i586.rpm
a40bfe3465fcdceec2c8d9bfd52ba2b0 corporate/3.0/RPMS/libclamav1-devel-0.87-0.1.C30mdk.i586.rpm
3ff54d614c61c446d645f8a5c8458abb corporate/3.0/SRPMS/clamav-0.87-0.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
9d8b35a818da8a63bbbb6e435b9aeca7 x86_64/corporate/3.0/RPMS/clamav-0.87-0.1.C30mdk.x86_64.rpm
b5e2a4dcbce2882b73c8a561574a4d24 x86_64/corporate/3.0/RPMS/clamav-db-0.87-0.1.C30mdk.x86_64.rpm
cd2da84bd6fe14cfc7822acdbbfb51da x86_64/corporate/3.0/RPMS/clamav-milter-0.87-0.1.C30mdk.x86_64.rpm
cf5b819b5c911ece25afa929124bbbcf x86_64/corporate/3.0/RPMS/clamd-0.87-0.1.C30mdk.x86_64.rpm
7ba558d19e757c2a624e495055e0c218 x86_64/corporate/3.0/RPMS/lib64clamav1-0.87-0.1.C30mdk.x86_64.rpm
ba046627c72dbe187eca48e5e1ae188c x86_64/corporate/3.0/RPMS/lib64clamav1-devel-0.87-0.1.C30mdk.x86_64.rpm
3ff54d614c61c446d645f8a5c8458abb x86_64/corporate/3.0/SRPMS/clamav-0.87-0.1.C30mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

<http://www.mandriva.com/security/advisories&gt;

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDMMjFmqjQ0CJFipgRAi4mAKDi+IhpoZJipa7FHsDsjLS7AmbR+QCgivM1
H8i2PXchCVYAqWKnsG4ADSY=
=8Yn2
-----END PGP SIGNATURE----- `

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23363713 Feedback>).

Ubuntu __ Affected

Notified: September 27, 2005 Updated: September 28, 2005

Status

Affected

Vendor Statement

Ubuntu does not officially support the clamav package, it is in the “universe” section of the archive. The upcoming stable release Ubuntu 5.10 has ClamAV version 0.87 and thus is not affected. The current stable releases (Ubuntu 4.10 and Ubuntu 5.04) are currently vulnerable; they might be fixed by the community soon.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. __ Not Affected

Notified: October 21, 2005 Updated: October 24, 2005

Status

Not Affected

Vendor Statement

BIG-IP is not vulnerable to this issue.

TrafficShield is not vulnerable to this issue.
WANJet and WebAccelerator are not vulnerable to this issue.
FirePass IS vulnerable. A hotfix is being prepared.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi __ Not Affected

Notified: October 21, 2005 Updated: October 24, 2005

Status

Not Affected

Vendor Statement

Hitachi products do not bundle Clam Antivirus and hence not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Not Affected

Notified: October 21, 2005 Updated: October 21, 2005

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux __ Not Affected

Notified: September 27, 2005 Updated: September 27, 2005

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We do not package ClamAV.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. __ Not Affected

Notified: September 27, 2005 Updated: September 29, 2005

Status

Not Affected

Vendor Statement

No Red Hat products contain ClamAV

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc. Not Affected

Notified: September 27, 2005 Updated: October 24, 2005

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. __ Not Affected

Notified: September 27, 2005 Updated: September 27, 2005

Status

Not Affected

Vendor Statement

Sun’s JDS (Java Desktop System) for Linux Platform and Solaris Operating Environment do not bundle Clam Antivirus and hence not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc. Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc. Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation) Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sequent Computer Systems, Inc. Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group (SCO Linux) Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified: September 27, 2005 Updated: September 27, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: October 21, 2005 Updated: October 21, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 43 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by Thierry Carrez.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2005-2920
Severity Metric: 6.75 Date Public:

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.331 Low

EPSS

Percentile

96.9%