Debian Bug report logs -
#458532
Clamav vulnerable to symlink attack
Reported by: Neil McGovern <neilm@debian.org>
Date: Tue, 1 Jan 2008 14:03:02 UTC
Severity: important
Tags: security
Found in versions clamav/0.90.1-3etch7, clamav/0.91.2-4, clamav/0.91.2-4.0lenny1, clamav/0.92~dfsg-2, 0.92~dfsg-1~volatile2
Fixed in versions clamav/0.92.1~dfsg-1, 0.92.1~dfsg-1volatile1, clamav/0.92.1dfsg-0volatile1
Done: Stephen Gran <sgran@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Security Team <team@security.debian.org>, Stephen Gran <sgran@debian.org>:
Bug#458532; Package clamav.
(full text, mbox, link).
Acknowledgement sent to Neil McGovern <neilm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Security Team <team@security.debian.org>, Stephen Gran <sgran@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: clamav
Version: 0.90.1-3etch7
Severity: critical
Tags: security
Two new CVEs for clamav:
Name: CVE-2007-6595
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6595
Reference: BUGTRAQ:20071229 TK53 Advisory #2: Multiple vulnerabilities in ClamAV
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded
Reference: BID:27064
Reference: URL:http://www.securityfocus.com/bid/27064
ClamAV 0.92 allows local users to overwrite arbitrary files via a
symlink attack on (1) temporary files in the cli_gentempfd function in
libclamav/others.c or on (2) .ascii files in sigtool, when
utf16-decode is enabled.
Name: CVE-2007-6596
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6596
Reference: BUGTRAQ:20071229 TK53 Advisory #2: Multiple vulnerabilities in ClamAV
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded
Reference: BID:27064
Reference: URL:http://www.securityfocus.com/bid/27064
ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows
remote attackers to bypass the scanner via a Base64-UUEncoded file.
I'd say ignore CVE-2007-6596, as clamav also doesn't recognise
insert-random-proprietary-encoding-here either, so it's not really a
valid issue (imo).
Tags for versions are:
CVE-2007-6595 isn't relevant for sarge, and only part (2) is in etch.
Lenny/sid affected fully.
Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#458532; Package clamav.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>.
(full text, mbox, link).
Message #10 received at 458532@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Neil,
* Neil McGovern <neilm@debian.org> [2008-01-01 15:26]:
[...]
> I'd say ignore CVE-2007-6596, as clamav also doesn't recognise
> insert-random-proprietary-encoding-here either, so it's not really a
> valid issue (imo).
Isn't the problem with this that mailers exist that treat
such contect as attachments if included in the mail body?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug marked as found in version 0.91.2-4.
Request was from Neil McGovern <neilm@debian.org>
to control@bugs.debian.org.
(Wed, 02 Jan 2008 09:24:04 GMT) (full text, mbox, link).
Bug marked as found in version 0.91.2-4.0lenny1.
Request was from Neil McGovern <neilm@debian.org>
to control@bugs.debian.org.
(Wed, 02 Jan 2008 09:24:05 GMT) (full text, mbox, link).
Bug marked as found in version 0.92~dfsg-2.
Request was from Neil McGovern <neilm@debian.org>
to control@bugs.debian.org.
(Wed, 02 Jan 2008 09:24:06 GMT) (full text, mbox, link).
Bug marked as found in version 0.92~dfsg-1~volatile2.
Request was from Neil McGovern <neilm@debian.org>
to control@bugs.debian.org.
(Wed, 02 Jan 2008 09:24:07 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#458532; Package clamav.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>.
(full text, mbox, link).
Message #23 received at 458532@bugs.debian.org (full text, mbox, reply):
severity 458532 important
thanks
On Tue, Jan 01, 2008 at 02:01:00PM +0000, Neil McGovern wrote:
> Package: clamav
> Version: 0.90.1-3etch7
> Severity: critical
> Tags: security
This doesn't warrant an RC security bug.
> Two new CVEs for clamav:
>
> Name: CVE-2007-6595
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6595
> Reference: BUGTRAQ:20071229 TK53 Advisory #2: Multiple vulnerabilities in ClamAV
> Reference: URL:http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded
> Reference: BID:27064
> Reference: URL:http://www.securityfocus.com/bid/27064
>
> ClamAV 0.92 allows local users to overwrite arbitrary files via a
> symlink attack on (1) temporary files in the cli_gentempfd function in
> libclamav/others.c or on (2) .ascii files in sigtool, when
> utf16-decode is enabled.
>
> Name: CVE-2007-6596
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6596
> Reference: BUGTRAQ:20071229 TK53 Advisory #2: Multiple vulnerabilities in ClamAV
> Reference: URL:http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded
> Reference: BID:27064
> Reference: URL:http://www.securityfocus.com/bid/27064
>
> ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows
> remote attackers to bypass the scanner via a Base64-UUEncoded file.
>
> I'd say ignore CVE-2007-6596, as clamav also doesn't recognise
> insert-random-proprietary-encoding-here either, so it's not really a
> valid issue (imo).
I agree.
> Tags for versions are:
> CVE-2007-6595 isn't relevant for sarge, and only part (2) is in etch.
> Lenny/sid affected fully.
Support for Sarge has stopped, see latest DSA.
These issues are rather harmless in the context of clamav. They'll
be fixed when a future and more severe clamav issues pops up. (Which
is quite likely given the history of clamav :-)
Cheers,
Moritz
Severity set to `important' from `critical'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Wed, 02 Jan 2008 22:24:05 GMT) (full text, mbox, link).
Reply sent to Stephen Gran <sgran@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Neil McGovern <neilm@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 458532-close@bugs.debian.org (full text, mbox, reply):
Source: clamav
Source-Version: 0.92.1~dfsg-1
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:
clamav-base_0.92.1~dfsg-1_all.deb
to pool/main/c/clamav/clamav-base_0.92.1~dfsg-1_all.deb
clamav-daemon_0.92.1~dfsg-1_i386.deb
to pool/main/c/clamav/clamav-daemon_0.92.1~dfsg-1_i386.deb
clamav-dbg_0.92.1~dfsg-1_i386.deb
to pool/main/c/clamav/clamav-dbg_0.92.1~dfsg-1_i386.deb
clamav-docs_0.92.1~dfsg-1_all.deb
to pool/main/c/clamav/clamav-docs_0.92.1~dfsg-1_all.deb
clamav-freshclam_0.92.1~dfsg-1_i386.deb
to pool/main/c/clamav/clamav-freshclam_0.92.1~dfsg-1_i386.deb
clamav-milter_0.92.1~dfsg-1_i386.deb
to pool/main/c/clamav/clamav-milter_0.92.1~dfsg-1_i386.deb
clamav-testfiles_0.92.1~dfsg-1_all.deb
to pool/main/c/clamav/clamav-testfiles_0.92.1~dfsg-1_all.deb
clamav_0.92.1~dfsg-1.diff.gz
to pool/main/c/clamav/clamav_0.92.1~dfsg-1.diff.gz
clamav_0.92.1~dfsg-1.dsc
to pool/main/c/clamav/clamav_0.92.1~dfsg-1.dsc
clamav_0.92.1~dfsg-1_i386.deb
to pool/main/c/clamav/clamav_0.92.1~dfsg-1_i386.deb
clamav_0.92.1~dfsg.orig.tar.gz
to pool/main/c/clamav/clamav_0.92.1~dfsg.orig.tar.gz
libclamav-dev_0.92.1~dfsg-1_i386.deb
to pool/main/c/clamav/libclamav-dev_0.92.1~dfsg-1_i386.deb
libclamav3_0.92.1~dfsg-1_i386.deb
to pool/main/c/clamav/libclamav3_0.92.1~dfsg-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 458532@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 12 Feb 2008 02:25:20 +0000
Source: clamav
Binary: clamav-base clamav-docs clamav-dbg clamav libclamav-dev libclamav3 clamav-daemon clamav-testfiles clamav-freshclam clamav-milter
Architecture: source all i386
Version: 0.92.1~dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description:
clamav - anti-virus utility for Unix - command-line interface
clamav-base - anti-virus utility for Unix - base package
clamav-daemon - anti-virus utility for Unix - scanner daemon
clamav-dbg - debug symbols for ClamAV
clamav-docs - anti-virus utility for Unix - documentation
clamav-freshclam - anti-virus utility for Unix - virus database update utility
clamav-milter - anti-virus utility for Unix - sendmail integration
clamav-testfiles - anti-virus utility for Unix - test files
libclamav-dev - anti-virus utility for Unix - development files
libclamav3 - anti-virus utility for Unix - library
Closes: 456770 458204 458532 465203
Changes:
clamav (0.92.1~dfsg-1) unstable; urgency=low
.
* New upstream bugfix release
- [2007-6595]: libclamav/others.c: symlink vulnerability
cli_gentempfd now calls open with O_EXCL (closes: #458532)
- [CVE-2008-0318]: libclamav/pe.c: possible integer overflow
- libclamav/mew.c: possible heap corruption
* Add a note to NEWS.Debian about unrar support being dropped
(closes: #465203)
* clamav-milter: off-by-one programming error in pingServer
(closes: #458204)
* Copyright now complete (thanks Scott Kitterman <scott@kitterman.com>)
(closes: #456770)
* Attempt to work around clamav-milter not bothering to check if another
instance is running on startup (reported as LP bug 179169)
Files:
989c1773a0e143a25111bcdc86700aed 889 utils optional clamav_0.92.1~dfsg-1.dsc
c16e60f569b6ec575d8de494e788f9d2 15284752 utils optional clamav_0.92.1~dfsg.orig.tar.gz
845e62512c504bafec811d72c07b2b1d 156825 utils optional clamav_0.92.1~dfsg-1.diff.gz
fe5fc1e1b1a67159cbfbf9edf052309b 12680944 utils optional clamav-base_0.92.1~dfsg-1_all.deb
d4b7767017c96fcd01ed07bd80830965 180000 utils optional clamav-testfiles_0.92.1~dfsg-1_all.deb
cf930d6fa2b819349bd2b4363d996e91 1031334 doc optional clamav-docs_0.92.1~dfsg-1_all.deb
bf982c7fd10cef29eabfd31d085e9bee 442880 libs optional libclamav3_0.92.1~dfsg-1_i386.deb
c8b64fd614b438a36a689ac8a1323d68 894102 utils optional clamav_0.92.1~dfsg-1_i386.deb
68cd975d0401b1b5214cdb87870e0c4c 196908 utils optional clamav-daemon_0.92.1~dfsg-1_i386.deb
2e69c7bad2b290337bbc9bbe3353ee33 216372 utils optional clamav-freshclam_0.92.1~dfsg-1_i386.deb
0752a44f915e3c11693758d8ccd69781 201236 utils extra clamav-milter_0.92.1~dfsg-1_i386.deb
f482d589af0aecbdd62f10e18b038171 444906 libdevel optional libclamav-dev_0.92.1~dfsg-1_i386.deb
fc971604d1a6fb4aff2ce9229eef868c 668700 utils extra clamav-dbg_0.92.1~dfsg-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHsQTpSYIMHOpZA44RArUFAJ9rAsHrQLUeN2WKnoTmcurW2/O+5QCgjrPL
F76WRqcsiuo35ussCwwPRBg=
=uVnU
-----END PGP SIGNATURE-----
Reply sent to Stephen Gran <sgran@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Neil McGovern <neilm@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #35 received at 458532-close@bugs.debian.org (full text, mbox, reply):
Source: clamav
Source-Version: 0.92.1~dfsg-1volatile1
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the volatile.debian.org FTP archive:
clamav-base_0.92.1~dfsg-1volatile1_all.deb
to pool/volatile/main/c/clamav/clamav-base_0.92.1~dfsg-1volatile1_all.deb
clamav-daemon_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav-daemon_0.92.1~dfsg-1volatile1_i386.deb
clamav-dbg_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav-dbg_0.92.1~dfsg-1volatile1_i386.deb
clamav-docs_0.92.1~dfsg-1volatile1_all.deb
to pool/volatile/main/c/clamav/clamav-docs_0.92.1~dfsg-1volatile1_all.deb
clamav-freshclam_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav-freshclam_0.92.1~dfsg-1volatile1_i386.deb
clamav-milter_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav-milter_0.92.1~dfsg-1volatile1_i386.deb
clamav-testfiles_0.92.1~dfsg-1volatile1_all.deb
to pool/volatile/main/c/clamav/clamav-testfiles_0.92.1~dfsg-1volatile1_all.deb
clamav_0.92.1~dfsg-1volatile1.diff.gz
to pool/volatile/main/c/clamav/clamav_0.92.1~dfsg-1volatile1.diff.gz
clamav_0.92.1~dfsg-1volatile1.dsc
to pool/volatile/main/c/clamav/clamav_0.92.1~dfsg-1volatile1.dsc
clamav_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav_0.92.1~dfsg-1volatile1_i386.deb
clamav_0.92.1~dfsg.orig.tar.gz
to pool/volatile/main/c/clamav/clamav_0.92.1~dfsg.orig.tar.gz
libclamav-dev_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/libclamav-dev_0.92.1~dfsg-1volatile1_i386.deb
libclamav3_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/libclamav3_0.92.1~dfsg-1volatile1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 458532@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
volatile.debian.org distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@volatile.debian.net)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 12 Feb 2008 02:34:25 +0000
Source: clamav
Binary: libclamav3 clamav libclamav-dev clamav-dbg clamav-milter clamav-base clamav-freshclam clamav-testfiles clamav-daemon clamav-docs
Architecture: source i386 all
Version: 0.92.1~dfsg-1volatile1
Distribution: etch-volatile
Urgency: low
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description:
clamav - antivirus scanner for Unix
clamav-base - base package for clamav, an anti-virus utility for Unix
clamav-daemon - antivirus scanner daemon
clamav-dbg - debug symbols for clamav
clamav-docs - documentation package for clamav, an anti-virus utility for Unix
clamav-freshclam - downloads clamav virus databases from the Internet
clamav-milter - antivirus scanner for sendmail
clamav-testfiles - use these files to test that your Antivirus program works
libclamav-dev - clam Antivirus library development files
libclamav3 - virus scanner library
Closes: 458532
Changes:
clamav (0.92.1~dfsg-1volatile1) etch-volatile; urgency=low
.
* New upstream version
- [2007-6595]: libclamav/others.c: symlink vulnerability
cli_gentempfd now calls open with O_EXCL (closes: #458532)
- [CVE-2008-0318]: libclamav/pe.c: possible integer overflow
- libclamav/mew.c: possible heap corruption
Files:
50ac3f28d7f56171a46e41e7e5567e14 895 utils optional clamav_0.92.1~dfsg-1volatile1.dsc
c16e60f569b6ec575d8de494e788f9d2 15284752 utils optional clamav_0.92.1~dfsg.orig.tar.gz
36740247809685ed866c8de8759acd92 201616 utils optional clamav_0.92.1~dfsg-1volatile1.diff.gz
3b8fb690d08c77107a4f6a644b78d02e 215492 utils optional clamav-base_0.92.1~dfsg-1volatile1_all.deb
af4eaf64e672e9088a46f74e83be0874 170746 utils optional clamav-testfiles_0.92.1~dfsg-1volatile1_all.deb
c26f850deaf790fb35e45bcde5ea3234 1025100 utils optional clamav-docs_0.92.1~dfsg-1volatile1_all.deb
df3769c9eef5060018eb7db5b6dbce66 434256 libs optional libclamav3_0.92.1~dfsg-1volatile1_i386.deb
f405fed31c960cbbc2ca16aad461042a 886658 utils optional clamav_0.92.1~dfsg-1volatile1_i386.deb
cbe7fcd8b2b6b4e50367303b04824a0c 186306 utils optional clamav-daemon_0.92.1~dfsg-1volatile1_i386.deb
75621e0158ae18d2d719507256fccb31 12674318 utils optional clamav-freshclam_0.92.1~dfsg-1volatile1_i386.deb
8d9d000ac01d4055e75ee657d597d565 192368 utils extra clamav-milter_0.92.1~dfsg-1volatile1_i386.deb
8862fcbda7cc579c52a6c87eeb54f4f9 440872 libdevel optional libclamav-dev_0.92.1~dfsg-1volatile1_i386.deb
f5bc176997b79c0cb76b14daeb107ecb 666816 utils extra clamav-dbg_0.92.1~dfsg-1volatile1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHsQgiSYIMHOpZA44RAqbgAKCXfu1+b4xqHFSz2Y0JKuUdJMiHzgCfUVAz
pH5jew+KUBTDG6hpkdT691I=
=HqMS
-----END PGP SIGNATURE-----
Bug reopened, originator not changed.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 12 Feb 2008 09:36:04 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.92.1~dfsg-1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 12 Feb 2008 10:45:04 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.92.1~dfsg-1volatile1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 12 Feb 2008 10:45:06 GMT) (full text, mbox, link).
Reply sent to Stephen Gran <sgran@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Neil McGovern <neilm@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #46 received at 458532-close@bugs.debian.org (full text, mbox, reply):
Source: clamav
Source-Version: 0.92.1dfsg-0volatile1
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the volatile.debian.org FTP archive:
clamav-base_0.92.1dfsg-0volatile1_all.deb
to pool/volatile/main/c/clamav/clamav-base_0.92.1dfsg-0volatile1_all.deb
clamav-daemon_0.92.1dfsg-0volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav-daemon_0.92.1dfsg-0volatile1_i386.deb
clamav-docs_0.92.1dfsg-0volatile1_all.deb
to pool/volatile/main/c/clamav/clamav-docs_0.92.1dfsg-0volatile1_all.deb
clamav-freshclam_0.92.1dfsg-0volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav-freshclam_0.92.1dfsg-0volatile1_i386.deb
clamav-milter_0.92.1dfsg-0volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav-milter_0.92.1dfsg-0volatile1_i386.deb
clamav-testfiles_0.92.1dfsg-0volatile1_all.deb
to pool/volatile/main/c/clamav/clamav-testfiles_0.92.1dfsg-0volatile1_all.deb
clamav_0.92.1dfsg-0volatile1.diff.gz
to pool/volatile/main/c/clamav/clamav_0.92.1dfsg-0volatile1.diff.gz
clamav_0.92.1dfsg-0volatile1.dsc
to pool/volatile/main/c/clamav/clamav_0.92.1dfsg-0volatile1.dsc
clamav_0.92.1dfsg-0volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav_0.92.1dfsg-0volatile1_i386.deb
clamav_0.92.1dfsg.orig.tar.gz
to pool/volatile/main/c/clamav/clamav_0.92.1dfsg.orig.tar.gz
libclamav-dev_0.92.1dfsg-0volatile1_i386.deb
to pool/volatile/main/c/clamav/libclamav-dev_0.92.1dfsg-0volatile1_i386.deb
libclamav3_0.92.1dfsg-0volatile1_i386.deb
to pool/volatile/main/c/clamav/libclamav3_0.92.1dfsg-0volatile1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 458532@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
volatile.debian.org distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated clamav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@volatile.debian.net)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 12 Feb 2008 02:33:34 +0000
Source: clamav
Binary: libclamav3 clamav libclamav-dev clamav-milter clamav-base clamav-freshclam clamav-testfiles clamav-daemon clamav-docs
Architecture: source all i386
Version: 0.92.1dfsg-0volatile1
Distribution: sarge-volatile
Urgency: low
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description:
clamav - antivirus scanner for Unix
clamav-base - base package for clamav, an anti-virus utility for Unix
clamav-daemon - antivirus scanner daemon
clamav-docs - documentation package for clamav, an anti-virus utility for Unix
clamav-freshclam - downloads clamav virus databases from the Internet
clamav-milter - antivirus scanner for sendmail
clamav-testfiles - use these files to test that your Antivirus program works
libclamav-dev - clam Antivirus library development files
libclamav3 - virus scanner library
Closes: 458532
Changes:
clamav (0.92.1dfsg-0volatile1) sarge-volatile; urgency=low
.
* New uptsream version
- [2007-6595]: libclamav/others.c: symlink vulnerability
cli_gentempfd now calls open with O_EXCL (closes: #458532)
- [CVE-2008-0318]: libclamav/pe.c: possible integer overflow
- libclamav/mew.c: possible heap corruption
Files:
7710667e9b1a7778e13645f8b7ea71b4 858 utils optional clamav_0.92.1dfsg-0volatile1.dsc
10ca8a4b43e596d3a112e33577f66e5d 15253694 utils optional clamav_0.92.1dfsg.orig.tar.gz
1ba8096e891bdf0bea03a4ea60af0102 201365 utils optional clamav_0.92.1dfsg-0volatile1.diff.gz
7de21f8590344c36607e26895256403b 212692 utils optional clamav-base_0.92.1dfsg-0volatile1_all.deb
ada8e060c78eed1f86aa85c17ae58072 167754 utils optional clamav-testfiles_0.92.1dfsg-0volatile1_all.deb
f5ff78bc724c21d5db7cc1367952d6c8 1009612 utils optional clamav-docs_0.92.1dfsg-0volatile1_all.deb
272ea6d413dfa3fe7d1f8c5f5d92f8b7 426344 libs optional libclamav3_0.92.1dfsg-0volatile1_i386.deb
34fcd4d9065520e4bbfc2bbfa0fe797f 879120 utils optional clamav_0.92.1dfsg-0volatile1_i386.deb
40b3b317b448fbb6f13f7c6637325168 184908 utils optional clamav-daemon_0.92.1dfsg-0volatile1_i386.deb
e6a72bf6799a76550433c8dc7c9c9403 12669946 utils optional clamav-freshclam_0.92.1dfsg-0volatile1_i386.deb
c251307f4ff9a04a25df470b12a4c5b7 189538 utils extra clamav-milter_0.92.1dfsg-0volatile1_i386.deb
08cec606e6845fd6215e7d1bd84bc612 436104 libdevel optional libclamav-dev_0.92.1dfsg-0volatile1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHsYl3SYIMHOpZA44RAoknAKCqOaB4K6ZJ3F3mqYXxDVBGj2m6DgCeML8n
V804wMZ4RLvLXAWP+C/j2b0=
=pcec
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 17 Mar 2008 07:38:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:15:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon