Debian Bug report logs - #411118
clamav: CVE-2007-0897 - CAB File Denial of Service Vulnerability

version graph

Package: clamav; Maintainer for clamav is ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>; Source for clamav is src:clamav.

Reported by: intrigeri@boum.org

Date: Fri, 16 Feb 2007 11:18:01 UTC

Severity: important

Found in versions 0.84-2.sarge.13, 0.88.7-1, 0.90~rc3-1

Fixed in versions 0.90-1, 0.88.7-2, 0.84-2.sarge.14

Done: Stephen Gran <sgran@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ben Voui <intrigeri@boum.org>, Stephen Gran <sgran@debian.org>:
Bug#411118; Package clamav. Full text and rfc822 format available.

Acknowledgement sent to intrigeri@boum.org:
New Bug report received and forwarded. Copy sent to Ben Voui <intrigeri@boum.org>, Stephen Gran <sgran@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: intrigeri@boum.org
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: clamav: CVE-2007-0897 - CAB File Denial of Service Vulnerability
Date: Fri, 16 Feb 2007 03:16:28 -0800 (PST)
Package: clamav
Version: 0.84-2.sarge.13
Severity: serious

All versions prior to 0.90 are suspected to be vulnerable to a resource
consumption vulnerability in Clam AntiVirus' ClamAV allows remote attackers to
degrade the service of the clamd scanner. E.g., legitimate email can be refused
because of this bug. v0.90RC1.1 is confirmed to be vulnerable. Upstream 0.90
fixes this. A sarge security fix backport will probably be needed.

Ciao,

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)

Versions of packages clamav depends on:
ii  clamav-freshclam [cla 0.84-2.sarge.13    downloads clamav virus databases f
ii  libbz2-1.0            1.0.2-7            high-quality block-sorting file co
ii  libc6                 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
ii  libclamav1            0.84-2.sarge.13    virus scanner library
ii  libcurl3              7.13.2-2sarge5     Multi-protocol file transfer libra
ii  libgmp3               4.1.4-6            Multiprecision arithmetic library
ii  libidn11              0.5.13-1.0         GNU libidn library, implementation
ii  libssl0.9.7           0.9.7e-3sarge4     SSL shared libraries
ii  zlib1g                1:1.2.2-4.sarge.2  compression library - runtime

-- no debconf information



Severity set to `important' from `serious' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#411118; Package clamav. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #12 received at 411118@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: intrigeri@boum.org, 411117@bugs.debian.org, 411118@bugs.debian.org
Cc: Debian Bug Tracking System <control@bugs.debian.org>
Subject: Re: Bug#411117: clamav: CVE-2007-0898 & CVE-2007-0897
Date: Fri, 16 Feb 2007 12:16:22 +0000
[Message part 1 (text/plain, inline)]
found 411117 0.84-2.sarge.13
found 411117 0.88.7-1
found 411117 0.90~rc3-1
notfound 411117 0.84-2.sarge.14
notfound 411117 0.88.7-2
notfound 411117 0.90-1
close 411117 0.90-1
close 411117 0.88.7-2
close 411117 0.84-2.sarge.14
found 411118 0.84-2.sarge.13
found 411118 0.88.7-1
found 411118 0.90~rc3-1
notfound 411118 0.84-2.sarge.14
notfound 411118 0.88.7-2
notfound 411118 0.90-1
close 411118 0.90-1
close 411118 0.88.7-2
close 411118 0.84-2.sarge.14
thanks

Fixes for these have been uploaded to stable-security, volatile,
testing-proposed-updates, and unstable.  Sorry about any wait time -
it's now out of my hands.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 0.84-2.sarge.13. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 0.88.7-1. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 0.90~rc3-1. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 0.84-2.sarge.14. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 0.88.7-2. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 0.90-1. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 0.90-1, send any further explanations to intrigeri@boum.org Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 0.88.7-2, send any further explanations to intrigeri@boum.org Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 0.84-2.sarge.14, send any further explanations to intrigeri@boum.org Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 19:02:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:26:22 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.