Your message dated Tue, 12 Feb 2008 04:20:19 +0100 (CET)
with message-id <[EMAIL PROTECTED]>
and subject line Bug#458532: fixed in clamav 0.92.1~dfsg-1volatile1
has caused the Debian Bug report #458532,
regarding Clamav vulnerable to symlink attack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
458532: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458532
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: clamav
Version: 0.90.1-3etch7
Severity: critical
Tags: security
Two new CVEs for clamav:
Name: CVE-2007-6595
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6595
Reference: BUGTRAQ:20071229 TK53 Advisory #2: Multiple vulnerabilities in ClamAV
Reference:
URL:http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded
Reference: BID:27064
Reference: URL:http://www.securityfocus.com/bid/27064
ClamAV 0.92 allows local users to overwrite arbitrary files via a
symlink attack on (1) temporary files in the cli_gentempfd function in
libclamav/others.c or on (2) .ascii files in sigtool, when
utf16-decode is enabled.
Name: CVE-2007-6596
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6596
Reference: BUGTRAQ:20071229 TK53 Advisory #2: Multiple vulnerabilities in ClamAV
Reference:
URL:http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded
Reference: BID:27064
Reference: URL:http://www.securityfocus.com/bid/27064
ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows
remote attackers to bypass the scanner via a Base64-UUEncoded file.
I'd say ignore CVE-2007-6596, as clamav also doesn't recognise
insert-random-proprietary-encoding-here either, so it's not really a
valid issue (imo).
Tags for versions are:
CVE-2007-6595 isn't relevant for sarge, and only part (2) is in etch.
Lenny/sid affected fully.
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 0.92.1~dfsg-1volatile1
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the volatile.debian.org FTP archive:
clamav-base_0.92.1~dfsg-1volatile1_all.deb
to pool/volatile/main/c/clamav/clamav-base_0.92.1~dfsg-1volatile1_all.deb
clamav-daemon_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav-daemon_0.92.1~dfsg-1volatile1_i386.deb
clamav-dbg_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav-dbg_0.92.1~dfsg-1volatile1_i386.deb
clamav-docs_0.92.1~dfsg-1volatile1_all.deb
to pool/volatile/main/c/clamav/clamav-docs_0.92.1~dfsg-1volatile1_all.deb
clamav-freshclam_0.92.1~dfsg-1volatile1_i386.deb
to
pool/volatile/main/c/clamav/clamav-freshclam_0.92.1~dfsg-1volatile1_i386.deb
clamav-milter_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav-milter_0.92.1~dfsg-1volatile1_i386.deb
clamav-testfiles_0.92.1~dfsg-1volatile1_all.deb
to pool/volatile/main/c/clamav/clamav-testfiles_0.92.1~dfsg-1volatile1_all.deb
clamav_0.92.1~dfsg-1volatile1.diff.gz
to pool/volatile/main/c/clamav/clamav_0.92.1~dfsg-1volatile1.diff.gz
clamav_0.92.1~dfsg-1volatile1.dsc
to pool/volatile/main/c/clamav/clamav_0.92.1~dfsg-1volatile1.dsc
clamav_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/clamav_0.92.1~dfsg-1volatile1_i386.deb
clamav_0.92.1~dfsg.orig.tar.gz
to pool/volatile/main/c/clamav/clamav_0.92.1~dfsg.orig.tar.gz
libclamav-dev_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/libclamav-dev_0.92.1~dfsg-1volatile1_i386.deb
libclamav3_0.92.1~dfsg-1volatile1_i386.deb
to pool/volatile/main/c/clamav/libclamav3_0.92.1~dfsg-1volatile1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
volatile.debian.org distribution maintenance software
pp.
Stephen Gran <[EMAIL PROTECTED]> (supplier of updated clamav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 12 Feb 2008 02:34:25 +0000
Source: clamav
Binary: libclamav3 clamav libclamav-dev clamav-dbg clamav-milter clamav-base
clamav-freshclam clamav-testfiles clamav-daemon clamav-docs
Architecture: source i386 all
Version: 0.92.1~dfsg-1volatile1
Distribution: etch-volatile
Urgency: low
Maintainer: Stephen Gran <[EMAIL PROTECTED]>
Changed-By: Stephen Gran <[EMAIL PROTECTED]>
Description:
clamav - antivirus scanner for Unix
clamav-base - base package for clamav, an anti-virus utility for Unix
clamav-daemon - antivirus scanner daemon
clamav-dbg - debug symbols for clamav
clamav-docs - documentation package for clamav, an anti-virus utility for Unix
clamav-freshclam - downloads clamav virus databases from the Internet
clamav-milter - antivirus scanner for sendmail
clamav-testfiles - use these files to test that your Antivirus program works
libclamav-dev - clam Antivirus library development files
libclamav3 - virus scanner library
Closes: 458532
Changes:
clamav (0.92.1~dfsg-1volatile1) etch-volatile; urgency=low
.
* New upstream version
- [2007-6595]: libclamav/others.c: symlink vulnerability
cli_gentempfd now calls open with O_EXCL (closes: #458532)
- [CVE-2008-0318]: libclamav/pe.c: possible integer overflow
- libclamav/mew.c: possible heap corruption
Files:
50ac3f28d7f56171a46e41e7e5567e14 895 utils optional
clamav_0.92.1~dfsg-1volatile1.dsc
c16e60f569b6ec575d8de494e788f9d2 15284752 utils optional
clamav_0.92.1~dfsg.orig.tar.gz
36740247809685ed866c8de8759acd92 201616 utils optional
clamav_0.92.1~dfsg-1volatile1.diff.gz
3b8fb690d08c77107a4f6a644b78d02e 215492 utils optional
clamav-base_0.92.1~dfsg-1volatile1_all.deb
af4eaf64e672e9088a46f74e83be0874 170746 utils optional
clamav-testfiles_0.92.1~dfsg-1volatile1_all.deb
c26f850deaf790fb35e45bcde5ea3234 1025100 utils optional
clamav-docs_0.92.1~dfsg-1volatile1_all.deb
df3769c9eef5060018eb7db5b6dbce66 434256 libs optional
libclamav3_0.92.1~dfsg-1volatile1_i386.deb
f405fed31c960cbbc2ca16aad461042a 886658 utils optional
clamav_0.92.1~dfsg-1volatile1_i386.deb
cbe7fcd8b2b6b4e50367303b04824a0c 186306 utils optional
clamav-daemon_0.92.1~dfsg-1volatile1_i386.deb
75621e0158ae18d2d719507256fccb31 12674318 utils optional
clamav-freshclam_0.92.1~dfsg-1volatile1_i386.deb
8d9d000ac01d4055e75ee657d597d565 192368 utils extra
clamav-milter_0.92.1~dfsg-1volatile1_i386.deb
8862fcbda7cc579c52a6c87eeb54f4f9 440872 libdevel optional
libclamav-dev_0.92.1~dfsg-1volatile1_i386.deb
f5bc176997b79c0cb76b14daeb107ecb 666816 utils extra
clamav-dbg_0.92.1~dfsg-1volatile1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHsQgiSYIMHOpZA44RAqbgAKCXfu1+b4xqHFSz2Y0JKuUdJMiHzgCfUVAz
pH5jew+KUBTDG6hpkdT691I=
=HqMS
-----END PGP SIGNATURE-----
--- End Message ---
