|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=513
|
| |
Vulnerable Systems:
* ClamAV versions 0.90rc3 through 0.90.1.
Immune Systems:
* ClamAV version 0.90.2
The vulnerability exists within the cab_unstore() function in libclamav, the library used by clamd to scan various file types. A 32-bit signed integer is taken from the packet and compared against the sizeof() the destination buffer. However, the sizeof() return value is improperly casted to a signed integer. By supplying a negative value, an attacker can pass cause the comparison to succeed. This eventually leads to an exploitable stack-based buffer overflow.
Successful exploitation of this vulnerability results in code execution with the privileges of the process using libclamav.
In the case of the clamd program, this will result in executing code with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.
This vulnerability only exists in the recent 0.9x versions of ClamAV. As such, the vulnerable code is not present in the versions distributed with Red Hat Enterprise or other open source distributions.
Vendor Status:
The ClamAV team has addressed this vulnerability within version 0.90.2.
CVE Information:
CVE-2007-1997
Disclosure Timeline:
* 04/05/2007 - Initial vendor notification
* 04/06/2007 - Initial vendor response
* 04/16/2007 - Coordinated public disclosure
|
|
|
|
|
