lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <48C1D8F7.1080401@pardus.org.tr>
Date: Sat, 06 Sep 2008 04:12:23 +0300
From: Pınar Yanardağ <pinar@...dus.org.tr>
To: stable@...dus.org.tr
Cc: full-disclosure@...ts.grok.org.uk
Subject: [PLSA 2008-39] Clamav: Multiple Vulnerabilities

------------------------------------------------------------------------
Pardus Linux Security Advisory 2008-39            security@...dus.org.tr
------------------------------------------------------------------------
       Date: 2008-09-06
   Severity: 3
       Type: Remote
------------------------------------------------------------------------

Summary
=======

There has been discovered multiple vulnerabilities in Clamav including a
DoS (Denial of Service) vulnerability and memory leaks.


Description
===========

The   first vulnerability   is   caused   due   to   an   error    in
libclamav/chmunpack.c when processing malformed CHM files. This can  be
exploited to cause an invalid memory access via a specially crafted CHM
file.


Others as follow:

* Out-of-memory null dereference (bb#1141) CVE-2008-3912

* Possible invalid memory access (bb#1089) CVE-2008-1389

* Error path memory leaks CVE-2008-3913

* Fd leaks (bb#1141) CVE-2008-3914


Affected packages:

   Pardus 2008:
     clamav, all before 0.93.3-28-2
   Pardus 2007:
     clamav, all before 0.93.3-30-29


Resolution
==========

There are update(s) for clamav. You can update them via Package Manager
or with a single command from console:

   Pardus 2008:
     pisi up clamav

   Pardus 2007:
     pisi up clamav


References
==========

   * http://bugs.pardus.org.tr/show_bug.cgi?id=8110
   * http://int21.de/cve/CVE-2008-1389-clamav-chd.html
   * http://secunia.com/advisories/31725

------------------------------------------------------------------------

-- 
Pınar Yanardağ
Pardus Security Team
http://security.pardus.org.tr


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ