Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

clamav: CVE-2007-0898 - MIME Header Directory Traversal

Related Vulnerabilities: CVE-2007-0898   CVE-2007-0897  

Source

Debian Bug report logs - #411117
clamav: CVE-2007-0898 - MIME Header Directory Traversal

version graph

Package: clamav; Maintainer for clamav is ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>; Source for clamav is src:clamav (PTS, buildd, popcon).

Reported by: intrigeri@boum.org

Date: Fri, 16 Feb 2007 11:15:02 UTC

Severity: serious

Found in versions 0.84-2.sarge.13, 0.88.7-1, 0.90~rc3-1

Fixed in versions 0.90-1, 0.88.7-2, 0.84-2.sarge.14

Done: Stephen Gran <sgran@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Ben Voui <intrigeri@boum.org>, Stephen Gran <sgran@debian.org>:
Bug#411117; Package clamav. (full text, mbox, link).

Acknowledgement sent to intrigeri@boum.org:
New Bug report received and forwarded. Copy sent to Ben Voui <intrigeri@boum.org>, Stephen Gran <sgran@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: intrigeri@boum.org
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: clamav: CVE-2007-0898 - MIME Header Directory Traversal
Date: Fri, 16 Feb 2007 03:12:29 -0800 (PST)
Package: clamav
Version: 0.84-2.sarge.13
Severity: serious

Hello,

All versions prior to the 0.90 stable release are suspected to be vulnerable to
a directory traversal vulnerability that allows remote attackers to overwrite
files owned by the clamd scanner, such as the virus database file. This has been
assigned the name CVE-2007-0898, and has been fixed in upstream 0.90. A sarge
security fix backport will probably be needed.

Ciao,

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)

Versions of packages clamav depends on:
ii  clamav-freshclam [cla 0.84-2.sarge.13    downloads clamav virus databases f
ii  libbz2-1.0            1.0.2-7            high-quality block-sorting file co
ii  libc6                 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii  libclamav1            0.84-2.sarge.13    virus scanner library
ii  libcurl3              7.13.2-2sarge5     Multi-protocol file transfer libra
ii  libgmp3               4.1.4-6            Multiprecision arithmetic library
ii  libidn11              0.5.13-1.0         GNU libidn library, implementation
ii  libssl0.9.7           0.9.7e-3sarge4     SSL shared libraries
ii  zlib1g                1:1.2.2-4.sarge.2  compression library - runtime

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#411117; Package clamav. (full text, mbox, link).

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).

Message #10 received at 411117@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>
To: intrigeri@boum.org, 411117@bugs.debian.org, 411118@bugs.debian.org
Cc: Debian Bug Tracking System <control@bugs.debian.org>
Subject: Re: Bug#411117: clamav: CVE-2007-0898 & CVE-2007-0897
Date: Fri, 16 Feb 2007 12:16:22 +0000
[Message part 1 (text/plain, inline)]
found 411117 0.84-2.sarge.13
found 411117 0.88.7-1
found 411117 0.90~rc3-1
notfound 411117 0.84-2.sarge.14
notfound 411117 0.88.7-2
notfound 411117 0.90-1
close 411117 0.90-1
close 411117 0.88.7-2
close 411117 0.84-2.sarge.14
found 411118 0.84-2.sarge.13
found 411118 0.88.7-1
found 411118 0.90~rc3-1
notfound 411118 0.84-2.sarge.14
notfound 411118 0.88.7-2
notfound 411118 0.90-1
close 411118 0.90-1
close 411118 0.88.7-2
close 411118 0.84-2.sarge.14
thanks

Fixes for these have been uploaded to stable-security, volatile,
testing-proposed-updates, and unstable.  Sorry about any wait time -
it's now out of my hands.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 0.84-2.sarge.13. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as found in version 0.88.7-1. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as found in version 0.90~rc3-1. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as not found in version 0.84-2.sarge.14. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as not found in version 0.88.7-2. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as not found in version 0.90-1. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as fixed in version 0.90-1, send any further explanations to intrigeri@boum.org Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as fixed in version 0.88.7-2, send any further explanations to intrigeri@boum.org Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as fixed in version 0.84-2.sarge.14, send any further explanations to intrigeri@boum.org Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 18:30:29 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:18:29 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started