The cygwin clamav packages (Clam AntiVirus - GPL anti-virus toolkit)
has been updated to 0.91.2-1.
This is a SECURITY update: Gentoo Linux Security Advisory GLSA 200709-14
Vulnerabilities have been discovered in ClamAV allowing remote
execution of arbitrary code and Denial of Service attacks.
Description
===========
Nikolaos Rangos discovered a vulnerability in ClamAV which exists
because the recipient address extracted from email messages is not
properly sanitized before being used in a call to "popen()" when
executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference
errors exist within the "cli_scanrtf()" function in libclamav/rtf.c and
Stefanos Stamatis discovered a NULL-pointer dereference vulnerability
within the "cli_html_normalise()" function in libclamav/htmlnorm.c
(CVE-2007-4510).
Impact
======
The unsanitized recipient address can be exploited to execute arbitrary
code with the privileges of the clamav-milter process by sending an
email with a specially crafted recipient address to the affected
system. Also, the NULL-pointer dereference errors can be exploited to
crash ClamAV. Successful exploitation of the latter vulnerability
requires that clamav-milter is started with the "black hole" mode
activated, which is not enabled by default.
References
==========
[ 1 ] CVE-2007-4510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4510
[ 2 ] CVE-2007-4560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4560
About
======
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a commandline scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
the Clam AntiVirus package, which you can use in your own software.
See http://freshmeat.net/projects/clamav/
ChangeLog: http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
The clamav package comes in three parts:
clamav: the executables and binaries
libclamav2: the shared library since 0.90.1
libclamav-devel: development resources (headers, static- and import
libraries)
Cygwin Package Changes:
* none
========================================================================
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page. This downloads setup.exe to your
system. Then, run setup and answer all of the questions.
*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there. It will be in the format:
[EMAIL PROTECTED]
If you need more information on unsubscribing, start reading here:
http://sources.redhat.com/lists.html#unsubscribe-simple
Please read *all* of the information on unsubscribing that is available
starting at this URL.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
