GoogleOSV:DSA-1024-1clamav - heap overflow
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Several remote vulnerabilities have been discovered in the ClamAV
anti-virus toolkit, which may lead to denial of service and potentially
to the execution of arbitrary code. The Common Vulnerabilities and
Exposures project identifies the following problems:
- CVE-2006-1614
Damian Put discovered an integer overflow in the PE header parser.
This is only exploitable if the ArchiveMaxFileSize option is disabled. - CVE-2006-1615
Format string vulnerabilities in the logging code have been discovered,
which might lead to the execution of arbitrary code. - CVE-2006-1630
David Luyer discovered, that ClamAV can be tricked into an invalid
memory access in the cli_bitset_set() function, which may lead to
a denial of service.
The old stable distribution (woody) doesn’t contain clamav packages.
For the stable distribution (sarge) these problems have been fixed in
version 0.84-2.sarge.8.
For the unstable distribution (sid) these problems have been fixed in
version 0.88.1-1.
We recommend that you upgrade your clamav package.
| CPE | Name | Operator | Version |
|---|---|---|---|
| clamav | eq | 0.84-2.sarge.7 | |
| clamav | eq | 0.84-2.sarge.6 | |
| clamav | eq | 0.84-2 | |
| clamav | eq | 0.84-2.sarge.2 | |
| clamav | eq | 0.84-2.sarge.4 | |
| clamav | eq | 0.84-2.sarge.5 | |
| clamav | eq | 0.84-2.sarge.3 | |
| clamav | eq | 0.84-2.sarge.1 |
References
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C