Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1616-2] New clamav packages fix denial of service (1/3)

From Devin Carraway@1:229/2 to All on Sat Jul 26 07:00:14 2008

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1616-2 [email protected] http://www.debian.org/security/ Devin Carraway
July 26, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : clamav
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2713
Debian Bug : 490925

This update corrects a packaging and build error in the packages
released in DSA-1616-1. Those packages, while functional, did not
actually apply the fix intended. This update restores the fix
to the package build; no other changes are introduced. For
reference, the text of the original advisory follows.

Damian Put discovered a vulnerability in the ClamAV anti-virus
toolkit's parsing of Petite-packed Win32 executables. The weakness
leads to an invalid memory access, and could enable an attacker to
crash clamav by supplying a maliciously crafted Petite-compressed
binary for scanning. In some configurations, such as when clamav
is used in combination with mail servers, this could cause a system
to "fail open," facilitating a follow-on viral attack.

The Common Vulnerabilities and Exposures project identifies this
weakness as CVE-2008-2713.

For the stable distribution (etch), this problem has been fixed in
version 0.90.1dfsg-3.1+etch14. For the unstable distribution (sid),
the problem has been fixed in version 0.93.1.dfsg-1.1.

We recommend that you upgrade your clamav packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg.orig.tar.gz
Size/MD5 checksum: 11610428 6dc18602b0aa653924d47316f9411e49
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14.diff.gz
Size/MD5 checksum: 212774 199de1c758a33edf439dde87ae569bac
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14.dsc
Size/MD5 checksum: 906 71a4fbac6552c6a24d1a0e2c4ca1c7da

Architecture independent packages:

http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.90.1dfsg-3.1+etch14_all.deb
Size/MD5 checksum: 1006914 a5feccd106ffa258beae4901d25db623
http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.90.1dfsg-3.1+etch14_all.deb
Size/MD5 checksum: 158430 bbc7804704709ae18176c737c0b134e9
http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.90.1dfsg-3.1+etch14_all.deb
Size/MD5 checksum: 201298 868f961ab7554df5417736f335aa488d

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_alpha.deb
Size/MD5 checksum: 182644 8e84fae267fb377cabf7317d2f44c692
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_alpha.deb
Size/MD5 checksum: 9305178 b750c3292f0e7d1cdb56238683571734
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_alpha.deb
Size/MD5 checksum: 597516 fc362f29653a1f7b4502ad194b67b847
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_alpha.deb
Size/MD5 checksum: 862222 7efe4391739d6a09c405b18d29f3044a
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_alpha.deb
Size/MD5 checksum: 465260 b63d35f63e5aaf44156887abd1d1459e
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_alpha.deb
Size/MD5 checksum: 372814 60af231db0dff0eaff0a672263dfcd7d
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_alpha.deb
Size/MD5 checksum: 180822 e63e83fef5fecfe72af5ec219de783b0

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_amd64.deb
Size/MD5 checksum: 341534 6c0bc2832930b33660a112bf19935a83
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_amd64.deb
Size/MD5 checksum: 857172 a48f0ceee8dfcc931f644c8ce1e6f538
http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1dfsg-3.1+etch14_amd64.deb
Size/MD5 checksum: 177770 4207030fd20cca2180859ec443f0a0f1
http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_amd64.deb
Size/MD5 checksum: 178482 03f5be30b79ef71176f6ae719401f436
http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1dfsg-3.1+etch14_amd64.deb
Size/MD5 checksum: 594702 3abad9e4419716ab642f8c017559bb6a
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_amd64.deb
Size/MD5 checksum: 9301618 1bcd0de2457edd37d6ffc3b0903696b1
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_amd64.deb
Size/MD5 checksum: 355674 0ae17bf7e335891cdbeeb4b60be92632

arm architecture (ARM)

http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1dfsg-3.1+etch14_arm.deb
Size/MD5 checksum: 171748 3ed60880f21579874b4ad6a9e015f68a
http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1dfsg-3.1+etch14_arm.deb
Size/MD5 checksum: 9299608 7e9e3f4609257394f40b2d6857474064
http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1dfsg-3.1+etch14_arm.deb
Size/MD5 checksum: 335664 db92882e9aa7b6ca64da3cf9891449d2
http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1dfsg-3.1+etch14_arm.deb
Size/MD5 checksum: 853812 c38d6afa529c6436676e53ccba32ec2f
http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1dfsg-3.1+etch14_arm.deb

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Krenn
  Sun Jun 7 03:07:26 2026
  from Sydney, Nsw via Telnet
- Krenn
  Sun Jun 7 01:30:12 2026
  from Sydney, Nsw via Telnet
- Centurion
  Sat Jun 6 23:27:30 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (3 / 13)
Uptime:	157:54:00
Calls:	12,094
Calls today:	2
Files:	15,000
Messages:	6,517,755

[SECURITY] [DSA 1616-2] New clamav packages fix denial of service (1/3)

Who's Online

Recent Visitors

System Info