From owner-freebsd-security@FreeBSD.ORG  Tue Apr 17 06:55:45 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1D43416A401
	for <freebsd-security@freebsd.org>;
	Tue, 17 Apr 2007 06:55:45 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id C6D9913C480
	for <freebsd-security@freebsd.org>;
	Tue, 17 Apr 2007 06:55:44 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru;
	h=Received:Date:From:To:Message-ID:MIME-Version:Content-Type:Content-Disposition:Sender:X-Spam-Status:Subject;
	b=DygAVSqKaEzYJcy15QFY0BD1GHErZNkILkG9PQ7tZwgBc5+IbQ/UjDODmR32ZXPfAzh1B9a99fo1Txe1A6euU+H0AX5GrdcTy1UHTVZP/eNRz0yGsmMV2B26pQIeqqHdN3f+f+lnQ3gdwrf1EMqRZzSRF8oUhtfvB8spb3oiiKk=;
Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45])
	by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256)
	id 1HdhbG-000DrC-DA for freebsd-security@freebsd.org;
	Tue, 17 Apr 2007 10:55:38 +0400
Date: Tue, 17 Apr 2007 10:55:33 +0400
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: freebsd-security@freebsd.org
Message-ID: <20070417065533.GL26348@codelabs.ru>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="oYAXToTM8kn9Ra/9"
Content-Disposition: inline
Sender: rea-fbsd@codelabs.ru
X-Spam-Status: No, score=-3.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00
Subject: VuXML entry for CVE-2007-1870: ClamAV CAB File Unstore Buffer
	Overflow
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2007 06:55:45 -0000


--oYAXToTM8kn9Ra/9
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline

Good day.

Spotted the CVE-2007-1870: the clamav 0.90.2 is already in the ports,
but no sign of the issue in the VuXML. The entry is attached. One
thing that is a bit strange is that the ChangeLog for the ClamAV
(http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog) says about
CVE-2007-1997 as the libclamav/cab.c log entry, but I think they are
messed the numbers -- there is no such CVE, at least I failed to
find it via cve.mitre.org:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1997
But the CVE-2007-1870 is a candidate and has no relevant information,
so I am not 100% sure about the correct number.
-- 
Eygene

--oYAXToTM8kn9Ra/9
Content-Type: text/plain; charset=koi8-r
Content-Disposition: attachment; filename="vuln.xml"

  <vuln vid="unknown">
    <topic>clamav -- CAB File Unstore Buffer Overflow Vulnerability</topic>
    <affects>
      <package>
	<name>clamav</name>
	<range><ge>0.90rc3</ge><lt>0.90.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>iDefense Security Advisory 04.16.07:</p>
	<blockquote cite="http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=513">
	  <p>Remote exploitation of a buffer overflow vulnerability in Clam
	    AntiVirus' ClamAV allows attackers to execute arbitrary code
	    with the privileges of the affected process.</p>
	  <p>Successful exploitation of this vulnerability results
	    in code execution with the privileges of the process
	    using libclamav.</p>
	  <p>In the case of the clamd program, this will result in
	    executing code with the privileges of the clamav user.
	    Unsuccessful exploitation results in the clamd
	    process crashing.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2007-1870</cvename>
      <url>http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=513</url>
      <url>http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog</url>
    </references>
    <dates>
      <discovery>2007-04-14</discovery>
    </dates>
  </vuln>

--oYAXToTM8kn9Ra/9--

From owner-freebsd-security@FreeBSD.ORG  Thu Apr 19 14:37:28 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@FreeBSD.ORG
Delivered-To: freebsd-security@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2E95016A401
	for <freebsd-security@FreeBSD.ORG>;
	Thu, 19 Apr 2007 14:37:28 +0000 (UTC)
	(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8])
	by mx1.freebsd.org (Postfix) with ESMTP id A4A0E13C483
	for <freebsd-security@FreeBSD.ORG>;
	Thu, 19 Apr 2007 14:37:27 +0000 (UTC)
	(envelope-from olli@lurza.secnetix.de)
Received: from lurza.secnetix.de (ovsjiv@localhost [127.0.0.1])
	by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id l3JE4iht064267;
	Thu, 19 Apr 2007 16:04:50 +0200 (CEST)
	(envelope-from oliver.fromme@secnetix.de)
Received: (from olli@localhost)
	by lurza.secnetix.de (8.13.4/8.13.1/Submit) id l3JE4i6U064266;
	Thu, 19 Apr 2007 16:04:44 +0200 (CEST) (envelope-from olli)
Date: Thu, 19 Apr 2007 16:04:44 +0200 (CEST)
Message-Id: <200704191404.l3JE4i6U064266@lurza.secnetix.de>
From: Oliver Fromme <olli@lurza.secnetix.de>
To: freebsd-security@FreeBSD.ORG, simon@FreeBSD.ORG, thomas@bsdunix.ch
In-Reply-To: <20070331054103.GA982@zaphod.nitro.dk>
X-Newsgroups: list.freebsd-security
User-Agent: tin/1.8.2-20060425 ("Shillay") (UNIX) (FreeBSD/4.11-STABLE (i386))
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2
	(lurza.secnetix.de [127.0.0.1]);
	Thu, 19 Apr 2007 16:04:50 +0200 (CEST)
Cc: 
Subject: Re: Integer underflow in the "file" program before 4.20
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: freebsd-security@FreeBSD.ORG, simon@FreeBSD.ORG, thomas@bsdunix.ch
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2007 14:37:28 -0000

Simon L. Nielsen wrote:
 > Thomas Vogt wrote:
 > 
 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536
 > > "Integer underflow in the file_printf function in the "file" program
 > > before 4.20 allows user-assisted attackers to execute arbitrary code via
 > > a file that triggers a heap-based buffer overflow."
 > > 
 > > Is FreeBSD 5.x/6.x affected too? It looks the System has file 4.12. The
 > > port has 4.20.
 > 
 > Hey,
 > 
 > While I haven't confirmed FreeBSD is vulnerable, I assume that is the
 > case.  In any case, we (The FreeBSD Security Team) are working on this
 > isuse.

Any news on this?  It's been more than a month ...

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"With sufficient thrust, pigs fly just fine.  However, this
is not necessarily a good idea.  It is hard to be sure where
they are going to land, and it could be dangerous sitting
under them as they fly overhead." -- RFC 1925