Debian Bug report logs - #490925
CVE-2008-2713: DoS

version graph

Package: libclamav4; Maintainer for libclamav4 is (unknown);

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Tue, 15 Jul 2008 11:36:02 UTC

Severity: grave

Tags: patch, security

Fixed in versions clamav/0.93.1.dfsg-1.1, clamav/0.93.1.dfsg-volatile1.1

Done: Gerfried Fuchs <rhonda@debian.at>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Stephen Gran <sgran@debian.org>:
Bug#490925; Package libclamav4. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Stephen Gran <sgran@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-2713: DoS
Date: Tue, 15 Jul 2008 21:35:00 +1000
Package: libclamav4
Severity: grave
Tags: security, patch
Justification: user security hole


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for clamav.

CVE-2008-2713[0]:
| libclamav/petite.c in ClamAV before 0.93.1 allows remote attackers to
| cause a denial of service via a crafted Petite file that triggers an
| out-of-bounds read.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

The DTSA released for this issue seems to have been incomplete. Please
see this mail[1] and the additional upstream commit[2].

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2713
    http://security-tracker.debian.net/tracker/CVE-2008-2713

[1] http://www.openwall.com/lists/oss-security/2008/07/15/1

[2] http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=/branches/0.93/libclamav/petite.c&rev=3920




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490925; Package libclamav4. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 490925@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 490925@bugs.debian.org
Cc: Debian Bug Tracking System <control@bugs.debian.org>
Subject: Re: Bug#490925: CVE-2008-2713: DoS
Date: Tue, 15 Jul 2008 13:21:51 +0100
[Message part 1 (text/plain, inline)]
close 490925 0.90.1dfsg-3etch12
close 490925 0.93.1.dfsg-volatile1
close 490925 0.93.1.dfsg-1
thanks

This one time, at band camp, Steffen Joeris said:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for clamav.
> 
> CVE-2008-2713[0]:
> | libclamav/petite.c in ClamAV before 0.93.1 allows remote attackers to
> | cause a denial of service via a crafted Petite file that triggers an
> | out-of-bounds read.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> The DTSA released for this issue seems to have been incomplete. Please
> see this mail[1] and the additional upstream commit[2].

This has been uploaded for a while.  Thanks for the report.  I don't
know where the security upload has gone, the upload file says:

2008-06-16 23:22 clamav_0.90.1dfsg-3etch12_i386.upload

So it's been uploaded for quite a while, but I don't see it on the
mirrors.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Bug marked as fixed in version 0.90.1dfsg-3etch12, send any further explanations to Steffen Joeris <steffen.joeris@skolelinux.de> Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (Tue, 15 Jul 2008 12:24:05 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 0.93.1.dfsg-volatile1, send any further explanations to Steffen Joeris <steffen.joeris@skolelinux.de> Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (Tue, 15 Jul 2008 12:24:06 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 0.93.1.dfsg-1, send any further explanations to Steffen Joeris <steffen.joeris@skolelinux.de> Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (Tue, 15 Jul 2008 12:24:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#490925; Package libclamav4. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>. Full text and rfc822 format available.

Message #21 received at 490925@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Stephen Gran <sgran@debian.org>
Cc: 490925@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#490925: CVE-2008-2713: DoS
Date: Tue, 15 Jul 2008 22:48:12 +1000
[Message part 1 (text/plain, inline)]
reopen 490925
thanks

On Tue, 15 Jul 2008 10:21:51 pm Stephen Gran wrote:
> close 490925 0.90.1dfsg-3etch12
> close 490925 0.93.1.dfsg-volatile1
> close 490925 0.93.1.dfsg-1
> thanks
>
> This one time, at band camp, Steffen Joeris said:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for clamav.
> >
> > CVE-2008-2713[0]:
> > | libclamav/petite.c in ClamAV before 0.93.1 allows remote attackers to
> > | cause a denial of service via a crafted Petite file that triggers an
> > | out-of-bounds read.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE id in your changelog entry.
> >
> > The DTSA released for this issue seems to have been incomplete. Please
> > see this mail[1] and the additional upstream commit[2].
>
> This has been uploaded for a while.  Thanks for the report.  I don't
> know where the security upload has gone, the upload file says:
Neither the stable-security upload, nor the testing-security upload address 
the new report. Also, I cannot see that the unstable version fixes it.
I haven't checked volatile.
Please check the email and upstream commit I pointed to in the first email and 
bare in mind that the original upstream fix was incomplete.

> 2008-06-16 23:22 clamav_0.90.1dfsg-3etch12_i386.upload
>
> So it's been uploaded for quite a while, but I don't see it on the
> mirrors.
It has not yet been released and lies in the queue.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Tue, 15 Jul 2008 12:51:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490925; Package libclamav4. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #28 received at 490925@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: 490925@bugs.debian.org
Subject: Re: Bug#490925: CVE-2008-2713: DoS
Date: Tue, 15 Jul 2008 14:00:50 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Steffen Joeris said:
> On Tue, 15 Jul 2008 10:21:51 pm Stephen Gran wrote:
> > This one time, at band camp, Steffen Joeris said:
> Neither the stable-security upload, nor the testing-security upload address 
> the new report. Also, I cannot see that the unstable version fixes it.
> I haven't checked volatile.
> Please check the email and upstream commit I pointed to in the first email and 
> bare in mind that the original upstream fix was incomplete.

Ah, I see now - there was one issue with exactly the same wording that
is fixed, but this is a related issue not yet fixed, and so had wording
that applied badly, confusing me.  I read the description and the
'before 0.93.1' and said, "oh, I know this one - I uploaded fixed
versions already".  Sorry for any confusion.

Will look at it tonight.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490925; Package libclamav4. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #33 received at 490925@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 490925@bugs.debian.org
Subject: Re: Bug#490925: CVE-2008-2713: DoS
Date: Wed, 16 Jul 2008 15:26:38 +0100
[Message part 1 (text/plain, inline)]
Just a note for the bug report - I'm a little busy right now with job
hunting and interviewing and so forth.  If someone wants to NMU either a
fixed version or the new upstream, that's fine with me.

Thanks,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Gran <sgran@debian.org>:
Bug#490925; Package libclamav4. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Gran <sgran@debian.org>. Full text and rfc822 format available.

Message #38 received at 490925@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Stephen Gran <sgran@debian.org>, 490925@bugs.debian.org
Subject: Re: Bug#490925: CVE-2008-2713: DoS
Date: Wed, 16 Jul 2008 17:35:44 +0200
[Message part 1 (text/plain, inline)]
Hi Stephen,
* Stephen Gran <sgran@debian.org> [2008-07-16 16:39]:
> Just a note for the bug report - I'm a little busy right now with job
> hunting and interviewing and so forth.  If someone wants to NMU either a
> fixed version or the new upstream, that's fine with me.

a debdiff for an NMU is attached and archived on:

http://people.debian.org/~nion/nmu-diff/clamav-0.93.1.dfsg-1_0.93.1.dfsg-1.1.patch

Note that I noticed that there is an infrastructure for 
dpatch but you removed dpatch a few uploads ago and I didn't 
want to reintroduce it for the security upload and thus I 
patched the source code directly.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[clamav-0.93.1.dfsg-1_0.93.1.dfsg-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#490925; Package libclamav4. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #43 received at 490925@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Nico Golde <nion@debian.org>
Cc: 490925@bugs.debian.org
Subject: Re: Bug#490925: CVE-2008-2713: DoS
Date: Wed, 16 Jul 2008 16:39:22 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Nico Golde said:
> Hi Stephen,
> * Stephen Gran <sgran@debian.org> [2008-07-16 16:39]:
> > Just a note for the bug report - I'm a little busy right now with job
> > hunting and interviewing and so forth.  If someone wants to NMU either a
> > fixed version or the new upstream, that's fine with me.
> 
> a debdiff for an NMU is attached and archived on:
> 
> http://people.debian.org/~nion/nmu-diff/clamav-0.93.1.dfsg-1_0.93.1.dfsg-1.1.patch

Looks great, thanks.

> Note that I noticed that there is an infrastructure for 
> dpatch but you removed dpatch a few uploads ago and I didn't 
> want to reintroduce it for the security upload and thus I 
> patched the source code directly.

I'm keeping the tree in git these says, so having a patch system on top
of an RCS system seemed redundant, somehow.  I'll push this into my
tree, thanks.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #48 received at 490925-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 490925-close@bugs.debian.org
Subject: Bug#490925: fixed in clamav 0.93.1.dfsg-1.1
Date: Wed, 16 Jul 2008 17:32:05 +0000
Source: clamav
Source-Version: 0.93.1.dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive:

clamav-base_0.93.1.dfsg-1.1_all.deb
  to pool/main/c/clamav/clamav-base_0.93.1.dfsg-1.1_all.deb
clamav-daemon_0.93.1.dfsg-1.1_amd64.deb
  to pool/main/c/clamav/clamav-daemon_0.93.1.dfsg-1.1_amd64.deb
clamav-dbg_0.93.1.dfsg-1.1_amd64.deb
  to pool/main/c/clamav/clamav-dbg_0.93.1.dfsg-1.1_amd64.deb
clamav-docs_0.93.1.dfsg-1.1_all.deb
  to pool/main/c/clamav/clamav-docs_0.93.1.dfsg-1.1_all.deb
clamav-freshclam_0.93.1.dfsg-1.1_amd64.deb
  to pool/main/c/clamav/clamav-freshclam_0.93.1.dfsg-1.1_amd64.deb
clamav-milter_0.93.1.dfsg-1.1_amd64.deb
  to pool/main/c/clamav/clamav-milter_0.93.1.dfsg-1.1_amd64.deb
clamav-testfiles_0.93.1.dfsg-1.1_all.deb
  to pool/main/c/clamav/clamav-testfiles_0.93.1.dfsg-1.1_all.deb
clamav_0.93.1.dfsg-1.1.diff.gz
  to pool/main/c/clamav/clamav_0.93.1.dfsg-1.1.diff.gz
clamav_0.93.1.dfsg-1.1.dsc
  to pool/main/c/clamav/clamav_0.93.1.dfsg-1.1.dsc
clamav_0.93.1.dfsg-1.1_amd64.deb
  to pool/main/c/clamav/clamav_0.93.1.dfsg-1.1_amd64.deb
libclamav-dev_0.93.1.dfsg-1.1_amd64.deb
  to pool/main/c/clamav/libclamav-dev_0.93.1.dfsg-1.1_amd64.deb
libclamav4_0.93.1.dfsg-1.1_amd64.deb
  to pool/main/c/clamav/libclamav4_0.93.1.dfsg-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 490925@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Jul 2008 16:54:49 +0200
Source: clamav
Binary: clamav-base clamav-docs clamav-dbg clamav libclamav-dev libclamav4 clamav-daemon clamav-testfiles clamav-freshclam clamav-milter
Architecture: source all amd64
Version: 0.93.1.dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 clamav     - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-dbg - debug symbols for ClamAV
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav4 - anti-virus utility for Unix - library
Closes: 490925
Changes: 
 clamav (0.93.1.dfsg-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issue:
     - CVE-2008-2713: A crafted petite file can trigger an out-of-bound
       read operation in petite.c resulting in a denial of sevice
       (Closes: #490925).
Checksums-Sha1: 
 8661683cac5e973adc23ffd873d71aa115498b36 1301 clamav_0.93.1.dfsg-1.1.dsc
 f1be94ecb79b09def897eb3c80f741af178446f2 154698 clamav_0.93.1.dfsg-1.1.diff.gz
 3161ce154c6c41627353dbd4d4133df089a403be 15326234 clamav-base_0.93.1.dfsg-1.1_all.deb
 e2f31ab6573c527fb999704071de0cbff3d06b8e 193812 clamav-testfiles_0.93.1.dfsg-1.1_all.deb
 07ca4e779931a1a3c1570ce2667ad8f411cfd6fb 1051642 clamav-docs_0.93.1.dfsg-1.1_all.deb
 e7b729f6dde586c2ca5b3fdb897f6ad66332d853 479088 libclamav4_0.93.1.dfsg-1.1_amd64.deb
 9553f0521766245ead59b11c834f533325583898 224240 clamav_0.93.1.dfsg-1.1_amd64.deb
 92fa8e5410114968f61e4596bfd07373065907a0 217386 clamav-daemon_0.93.1.dfsg-1.1_amd64.deb
 eefc8fb7525381540b76d87ff849c1ffcd029a0e 231602 clamav-freshclam_0.93.1.dfsg-1.1_amd64.deb
 2df2619b5bdf64b51d859d0249426edaca07429d 218874 clamav-milter_0.93.1.dfsg-1.1_amd64.deb
 6c9523f90137c3cd3dc7ac88df4f4e7e1d400391 511072 libclamav-dev_0.93.1.dfsg-1.1_amd64.deb
 ded74c2e4c88a56d8157832cef8d54ee20d4920d 789574 clamav-dbg_0.93.1.dfsg-1.1_amd64.deb
Checksums-Sha256: 
 8061e2dc5d8d838f48ee637afe04cea4945c24c4ce804dbb341b940ff16df52b 1301 clamav_0.93.1.dfsg-1.1.dsc
 c91353d8310b7c29c4e0dd109bcc80fe6b1dde3499acc67dd76c85a1297835ba 154698 clamav_0.93.1.dfsg-1.1.diff.gz
 24d54f744145663e5a53b594d307e27d48a879a505538d69d33300f39febdefc 15326234 clamav-base_0.93.1.dfsg-1.1_all.deb
 2311ec34972ec581baf0003ea3e84756e8a3d6cd61007df724c8e2afa5fcf18d 193812 clamav-testfiles_0.93.1.dfsg-1.1_all.deb
 73e573f23f4ec21f02475dba6b4c1993e5dc170a3de12be112f42a211c0e8dc1 1051642 clamav-docs_0.93.1.dfsg-1.1_all.deb
 6e89017ff4538053cd0d3b48f412d27b598fb04f26cd9e35a0522b57e47378c0 479088 libclamav4_0.93.1.dfsg-1.1_amd64.deb
 223004b5f2c314094065fce5ad2f18f7ec6d44915a794219cd060a52d05d4395 224240 clamav_0.93.1.dfsg-1.1_amd64.deb
 259741a1010ca4ab5740aaec89c6afb4eed02cd3cf0a8719780a6fd31d1c56e6 217386 clamav-daemon_0.93.1.dfsg-1.1_amd64.deb
 40971dd1316260dcbc8ccf7170d8f4ce9fde6186b439843395ac6a5341ea4acb 231602 clamav-freshclam_0.93.1.dfsg-1.1_amd64.deb
 340d55e053746868eef31b1dc042838d9994108896757f0d699fdab876df5a29 218874 clamav-milter_0.93.1.dfsg-1.1_amd64.deb
 4348fc390067f452a5c4a943ea953d0c471d2161906a7c083936a47414a2e266 511072 libclamav-dev_0.93.1.dfsg-1.1_amd64.deb
 960233da3cd47ec9377ce6af07a3c3acf7985650e070b71662b284093c458db9 789574 clamav-dbg_0.93.1.dfsg-1.1_amd64.deb
Files: 
 6f6759b7e3f1678d4d1d587bf20c6524 1301 utils optional clamav_0.93.1.dfsg-1.1.dsc
 924ec5d88768d20a203156645c92c19a 154698 utils optional clamav_0.93.1.dfsg-1.1.diff.gz
 59bfc7886cb25578b20dface6723f216 15326234 utils optional clamav-base_0.93.1.dfsg-1.1_all.deb
 deb9daf38cb447c74fea784abf6c3d8d 193812 utils optional clamav-testfiles_0.93.1.dfsg-1.1_all.deb
 0fd1028e4db1c5915973fa0f87d88c4a 1051642 doc optional clamav-docs_0.93.1.dfsg-1.1_all.deb
 d3a7167e36b8ea76e305c04e947ba4bf 479088 libs optional libclamav4_0.93.1.dfsg-1.1_amd64.deb
 952a0052088af4bc842f7b0cae70fce2 224240 utils optional clamav_0.93.1.dfsg-1.1_amd64.deb
 f69c8d2ad2c328bc032a9ea15119d8b1 217386 utils optional clamav-daemon_0.93.1.dfsg-1.1_amd64.deb
 15a48f3833f1642b45d2098f088b0557 231602 utils optional clamav-freshclam_0.93.1.dfsg-1.1_amd64.deb
 04a1eff43eda15153106340d945fc30d 218874 utils extra clamav-milter_0.93.1.dfsg-1.1_amd64.deb
 6e1662b98b55b40e43c81fa3e79bbfc5 511072 libdevel optional libclamav-dev_0.93.1.dfsg-1.1_amd64.deb
 7fedb5ada4fb4dda2e431ba540caacb7 789574 utils extra clamav-dbg_0.93.1.dfsg-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkh+KggACgkQHYflSXNkfP83ZQCeOXJ32IOuVIicOrOyL63s0LgA
jOQAn2y0ZuXFsAMXulU5ANXbsW/8vU7h
=QfUY
-----END PGP SIGNATURE-----





Reply sent to Gerfried Fuchs <rhonda@debian.at>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #53 received at 490925-close@bugs.debian.org (full text, mbox):

From: Gerfried Fuchs <rhonda@debian.at>
To: 490925-close@bugs.debian.org
Subject: Bug#490925: fixed in clamav 0.93.1.dfsg-volatile1.1
Date: Fri, 1 Aug 2008 10:50:14 +0000 (UTC)
Source: clamav
Source-Version: 0.93.1.dfsg-volatile1.1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the volatile.debian.org FTP archive:

clamav-base_0.93.1.dfsg-volatile1.1_all.deb
  to pool/volatile/main/c/clamav/clamav-base_0.93.1.dfsg-volatile1.1_all.deb
clamav-daemon_0.93.1.dfsg-volatile1.1_powerpc.deb
  to pool/volatile/main/c/clamav/clamav-daemon_0.93.1.dfsg-volatile1.1_powerpc.deb
clamav-dbg_0.93.1.dfsg-volatile1.1_powerpc.deb
  to pool/volatile/main/c/clamav/clamav-dbg_0.93.1.dfsg-volatile1.1_powerpc.deb
clamav-docs_0.93.1.dfsg-volatile1.1_all.deb
  to pool/volatile/main/c/clamav/clamav-docs_0.93.1.dfsg-volatile1.1_all.deb
clamav-freshclam_0.93.1.dfsg-volatile1.1_powerpc.deb
  to pool/volatile/main/c/clamav/clamav-freshclam_0.93.1.dfsg-volatile1.1_powerpc.deb
clamav-milter_0.93.1.dfsg-volatile1.1_powerpc.deb
  to pool/volatile/main/c/clamav/clamav-milter_0.93.1.dfsg-volatile1.1_powerpc.deb
clamav-testfiles_0.93.1.dfsg-volatile1.1_all.deb
  to pool/volatile/main/c/clamav/clamav-testfiles_0.93.1.dfsg-volatile1.1_all.deb
clamav_0.93.1.dfsg-volatile1.1.diff.gz
  to pool/volatile/main/c/clamav/clamav_0.93.1.dfsg-volatile1.1.diff.gz
clamav_0.93.1.dfsg-volatile1.1.dsc
  to pool/volatile/main/c/clamav/clamav_0.93.1.dfsg-volatile1.1.dsc
clamav_0.93.1.dfsg-volatile1.1_powerpc.deb
  to pool/volatile/main/c/clamav/clamav_0.93.1.dfsg-volatile1.1_powerpc.deb
libclamav-dev_0.93.1.dfsg-volatile1.1_powerpc.deb
  to pool/volatile/main/c/clamav/libclamav-dev_0.93.1.dfsg-volatile1.1_powerpc.deb
libclamav4_0.93.1.dfsg-volatile1.1_powerpc.deb
  to pool/volatile/main/c/clamav/libclamav4_0.93.1.dfsg-volatile1.1_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 490925@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

volatile.debian.org distribution maintenance software
pp.
Gerfried Fuchs <rhonda@debian.at> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@volatile.debian.net)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 01 Aug 2008 12:17:43 +0200
Source: clamav
Binary: clamav libclamav-dev clamav-dbg clamav-milter libclamav4 clamav-base clamav-freshclam clamav-testfiles clamav-daemon clamav-docs
Architecture: source powerpc all
Version: 0.93.1.dfsg-volatile1.1
Distribution: etch-volatile
Urgency: high
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Gerfried Fuchs <rhonda@debian.at>
Description: 
 clamav     - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-dbg - debug symbols for ClamAV
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav4 - anti-virus utility for Unix - library
Closes: 490925
Changes: 
 clamav (0.93.1.dfsg-volatile1.1) etch-volatile; urgency=low
 .
   * Rebuild for etch-volatile.
 .
 clamav (0.93.1.dfsg-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issue:
     - CVE-2008-2713: A crafted petite file can trigger an out-of-bound
       read operation in petite.c resulting in a denial of sevice
       (Closes: #490925).
Files: 
 14407af7396b80a539673e321e81bf1e 909 utils optional clamav_0.93.1.dfsg-volatile1.1.dsc
 f1fd73b702fe4d97bde565b6739bfda5 153423 utils optional clamav_0.93.1.dfsg-volatile1.1.diff.gz
 9eedb3d1405dad46b48d55d7872269d5 15327630 utils optional clamav-base_0.93.1.dfsg-volatile1.1_all.deb
 d07538c4e2e32fc2152d50e90cffde5e 194294 utils optional clamav-testfiles_0.93.1.dfsg-volatile1.1_all.deb
 eb672f4f494563f45a169ecded61ab68 1050570 doc optional clamav-docs_0.93.1.dfsg-volatile1.1_all.deb
 dd8cc6a32371fd4b5d3ba27c1c75e88a 484890 libs optional libclamav4_0.93.1.dfsg-volatile1.1_powerpc.deb
 b2e31856f8381c1bc67116686e22858e 226224 utils optional clamav_0.93.1.dfsg-volatile1.1_powerpc.deb
 95edcfa08c84c7adced29b96e829a4bf 220234 utils optional clamav-daemon_0.93.1.dfsg-volatile1.1_powerpc.deb
 062964f7ce1eebe45eb1271bfda6bf67 234418 utils optional clamav-freshclam_0.93.1.dfsg-volatile1.1_powerpc.deb
 6c6d36609ec8acb4e50020cbd1f22135 217096 utils extra clamav-milter_0.93.1.dfsg-volatile1.1_powerpc.deb
 a5d8c19c66a54baa3c541a242c560a56 536898 libdevel optional libclamav-dev_0.93.1.dfsg-volatile1.1_powerpc.deb
 5e166eeb91c4b4d0cbdb190cc3b38243 800348 utils extra clamav-dbg_0.93.1.dfsg-volatile1.1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiS6IgACgkQELuA/Ba9d8b6IgCfW9fVl0IsFJtUIPtOi+FQoDBd
+vkAn1Y5x8Wz8g/qcIInSJ7+edi/1nAi
=yjWg
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 30 Aug 2008 07:28:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 14:48:18 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.