Date: Mon, 10 Nov 2008 14:19:44 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/128749: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 Message-ID: <20081110111944.ADFC11AF424@void.codelabs.ru> Resent-Message-ID: <200811101120.mAABK2jO061294@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 128749 >Category: ports >Synopsis: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 10 11:20:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: As was recently reported in the BugTraq list, VBA parser in ClamAV is contains the off-by-one overflow and can lead to the arbitrary code execution within the clamd process. VBA component seem to be unconditionally included to the libclamav and OLE2 scanning is "on" by-default. >How-To-Repeat: http://www.securityfocus.com/archive/1/498169/30/0/threaded >Fix: The following VuXML entry describes this issue: --- vuln.xml begins here --- <vuln vid=""> <topic>clamav -- off-by-one heap overflow in VBA project parser</topic> <affects> <package> <name>clamav</name> <range><lt>0.94.1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Advisory from Moritz Jodeit, November 8th, 2008:</p> <blockquote cite="http://www.securityfocus.com/archive/1/498169/30/0/threaded">; <p>ClamAV contains an off-by-one heap overflow vulnerability in the code responsible for parsing VBA project files. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the `clamd' process by sending an email with a prepared attachment.</p> <p>A VBA project file embedded inside an OLE2 office document send as an attachment can trigger the off-by-one.</p> </blockquote> <p>Entry from Thu Oct 30 13:52:42 CET 2008 (acab) in ChangeLog:</p> <blockquote cite="http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog">; <p>libclamav/vba_extract.c: get_unicode_name off-by-one, bb#1239 reported by Moritz Jodeit >moritz*jodeit.org<</p> </blockquote> </body> </description> <references> <url>http://www.securityfocus.com/archive/1/498169/30/0/threaded</url>; <url>http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog</url>; </references> <dates> <discovery>2008-11-08</discovery> </dates> </vuln> --- vuln.xml ends here --- FreeBSD port itself is already at 0.94.1, so it is fully patched. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081110111944.ADFC11AF424>