Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

clamav: CVE-2007-0897 - CAB File Denial of Service Vulnerability

Related Vulnerabilities: CVE-2007-0897   CVE-2007-0898  

Source

Debian Bug report logs - #411118
clamav: CVE-2007-0897 - CAB File Denial of Service Vulnerability

version graph

Package: clamav; Maintainer for clamav is ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>; Source for clamav is src:clamav (PTS, buildd, popcon).

Reported by: intrigeri@boum.org

Date: Fri, 16 Feb 2007 11:18:01 UTC

Severity: important

Found in versions 0.84-2.sarge.13, 0.88.7-1, 0.90~rc3-1

Fixed in versions 0.90-1, 0.88.7-2, 0.84-2.sarge.14

Done: Stephen Gran <sgran@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Ben Voui <intrigeri@boum.org>, Stephen Gran <sgran@debian.org>:
Bug#411118; Package clamav. (full text, mbox, link).

Acknowledgement sent to intrigeri@boum.org:
New Bug report received and forwarded. Copy sent to Ben Voui <intrigeri@boum.org>, Stephen Gran <sgran@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: intrigeri@boum.org
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: clamav: CVE-2007-0897 - CAB File Denial of Service Vulnerability
Date: Fri, 16 Feb 2007 03:16:28 -0800 (PST)
Package: clamav
Version: 0.84-2.sarge.13
Severity: serious

All versions prior to 0.90 are suspected to be vulnerable to a resource
consumption vulnerability in Clam AntiVirus' ClamAV allows remote attackers to
degrade the service of the clamd scanner. E.g., legitimate email can be refused
because of this bug. v0.90RC1.1 is confirmed to be vulnerable. Upstream 0.90
fixes this. A sarge security fix backport will probably be needed.

Ciao,

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)

Versions of packages clamav depends on:
ii  clamav-freshclam [cla 0.84-2.sarge.13    downloads clamav virus databases f
ii  libbz2-1.0            1.0.2-7            high-quality block-sorting file co
ii  libc6                 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii  libclamav1            0.84-2.sarge.13    virus scanner library
ii  libcurl3              7.13.2-2sarge5     Multi-protocol file transfer libra
ii  libgmp3               4.1.4-6            Multiprecision arithmetic library
ii  libidn11              0.5.13-1.0         GNU libidn library, implementation
ii  libssl0.9.7           0.9.7e-3sarge4     SSL shared libraries
ii  zlib1g                1:1.2.2-4.sarge.2  compression library - runtime

-- no debconf information

Severity set to `important' from `serious' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#411118; Package clamav. (full text, mbox, link).

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).

Message #12 received at 411118@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>
To: intrigeri@boum.org, 411117@bugs.debian.org, 411118@bugs.debian.org
Cc: Debian Bug Tracking System <control@bugs.debian.org>
Subject: Re: Bug#411117: clamav: CVE-2007-0898 & CVE-2007-0897
Date: Fri, 16 Feb 2007 12:16:22 +0000
[Message part 1 (text/plain, inline)]
found 411117 0.84-2.sarge.13
found 411117 0.88.7-1
found 411117 0.90~rc3-1
notfound 411117 0.84-2.sarge.14
notfound 411117 0.88.7-2
notfound 411117 0.90-1
close 411117 0.90-1
close 411117 0.88.7-2
close 411117 0.84-2.sarge.14
found 411118 0.84-2.sarge.13
found 411118 0.88.7-1
found 411118 0.90~rc3-1
notfound 411118 0.84-2.sarge.14
notfound 411118 0.88.7-2
notfound 411118 0.90-1
close 411118 0.90-1
close 411118 0.88.7-2
close 411118 0.84-2.sarge.14
thanks

Fixes for these have been uploaded to stable-security, volatile,
testing-proposed-updates, and unstable.  Sorry about any wait time -
it's now out of my hands.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 0.84-2.sarge.13. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as found in version 0.88.7-1. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as found in version 0.90~rc3-1. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as not found in version 0.84-2.sarge.14. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as not found in version 0.88.7-2. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as not found in version 0.90-1. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as fixed in version 0.90-1, send any further explanations to intrigeri@boum.org Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as fixed in version 0.88.7-2, send any further explanations to intrigeri@boum.org Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as fixed in version 0.84-2.sarge.14, send any further explanations to intrigeri@boum.org Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 19:02:38 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:01:31 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started