On Nov 29, 2013, at 12:58 PM, Kurt Seifried <kseifried () redhat com>
On 11/29/2013 02:20 AM, Sergey Popov wrote:
It's a bit late, but i would like to request CVE for two
vulnerabilities, that present in ClamAV before 0.97.7:
1) A double-free error exists within the
(libclamunrar_iface/unrar_iface.c) when parsing a RAR file.
2) An unspecified error within the "wwunpack()" function
(libclamav/wwunpack.c) when unpacking a WWPack file can be
exploited to corrupt heap memory.
 - https://secunia.com/advisories/52647/
The blog entry
contains no mention of security flaws,
Hrm, at least the copy I see says “ClamAV 0.97.7 addresses
several reported potential security bugs.”. While it doesn’t
identify the issues per se, it does at least indicate this is a
Jan Lieskovsky talked about both of these last March — see
<http://seclists.org/oss-sec/2013/q1/672>. The double-free was
fixed in this commit :
and the 'wwunpack()’ issue maps to :
Hope that helps,
Also the ChangeLog:
Doesn't contain any mention of the above flaws. Can you provide
links to source code/bug reports or something so I can verify this?