Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: ClamAV vulnerabilities
From: Sergey Popov <pinkbyte () gentoo org>
Date: Mon, 09 Dec 2013 12:50:07 +0400

29.11.2013 21:58, Kurt Seifried пишет:
On 11/29/2013 02:20 AM, Sergey Popov wrote:
It's a bit late, but i would like to request CVE for two
vulnerabilities, that present in ClamAV before 0.97.7[1]:

1) A double-free error exists within the
"unrar_extract_next_prepare()" function
(libclamunrar_iface/unrar_iface.c) when parsing a RAR file.

2) An unspecified error within the "wwunpack()" function
(libclamav/wwunpack.c) when unpacking a WWPack file can be
exploited to corrupt heap memory.

[1] - https://secunia.com/advisories/52647/


The blog entry

http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html

contains no mention of security flaws,

Also the ChangeLog:

https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog

Doesn't contain any mention of the above flaws. Can you provide links
to source code/bug reports or something so I can verify this? Thanks.



What's about:

"ClamAV 0.97.7 addresses several reported potential security bugs.
Thanks to Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind of the
Google Security Team for finding and reporting these issues."[1]

I know that there are no details provided here, but secunia advisory
also points on 'unspecified vulnerabilities'.

[1] - quote from
http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html

-- 
Best regards, Sergey Popov
Gentoo developer
Gentoo Desktop Effects project lead
Gentoo Qt project lead
Gentoo Proxy maintainers project lead

Attachment: signature.asc
Description: OpenPGP digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault