Eygene Ryabinkin
2008-Nov-10 04:26 UTC
ports/128749: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1
>Number: 128749 >Category: ports >Synopsis: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 10 11:20:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization:Code Labs>Environment:System: FreeBSD 7.1-PRERELEASE i386>Description:As was recently reported in the BugTraq list, VBA parser in ClamAV is contains the off-by-one overflow and can lead to the arbitrary code execution within the clamd process. VBA component seem to be unconditionally included to the libclamav and OLE2 scanning is "on" by-default.>How-To-Repeat:http://www.securityfocus.com/archive/1/498169/30/0/threaded>Fix:The following VuXML entry describes this issue: --- vuln.xml begins here --- <vuln vid=""> <topic>clamav -- off-by-one heap overflow in VBA project parser</topic> <affects> <package> <name>clamav</name> <range><lt>0.94.1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Advisory from Moritz Jodeit, November 8th, 2008:</p> <blockquote cite="http://www.securityfocus.com/archive/1/498169/30/0/threaded"> <p>ClamAV contains an off-by-one heap overflow vulnerability in the code responsible for parsing VBA project files. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the `clamd' process by sending an email with a prepared attachment.</p> <p>A VBA project file embedded inside an OLE2 office document send as an attachment can trigger the off-by-one.</p> </blockquote> <p>Entry from Thu Oct 30 13:52:42 CET 2008 (acab) in ChangeLog:</p> <blockquote cite="http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog"> <p>libclamav/vba_extract.c: get_unicode_name off-by-one, bb#1239 reported by Moritz Jodeit >moritz*jodeit.org<</p> </blockquote> </body> </description> <references> <url>http://www.securityfocus.com/archive/1/498169/30/0/threaded</url> <url>http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog</url> </references> <dates> <discovery>2008-11-08</discovery> </dates> </vuln> --- vuln.xml ends here --- FreeBSD port itself is already at 0.94.1, so it is fully patched.>Release-Note: >Audit-Trail: >Unformatted:
miwi@FreeBSD.org
2008-Nov-10 21:03 UTC
ports/128749: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1
Synopsis: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 Responsible-Changed-From-To: freebsd-ports-bugs->miwi Responsible-Changed-By: miwi Responsible-Changed-When: Tue Nov 11 05:02:54 UTC 2008 Responsible-Changed-Why: I'll take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=128749
garga@FreeBSD.org
2008-Nov-11 04:19 UTC
ports/128749: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1
Synopsis: [vuxml] VBA parser vulnerability in ClamAV < 0.94.1 State-Changed-From-To: open->closed State-Changed-By: garga State-Changed-When: Tue Nov 11 10:28:18 UTC 2008 State-Changed-Why: Already committed, just closing now. Thanks for contributing!! http://www.freebsd.org/cgi/query-pr.cgi?pr=128749