severity 458532 important thanks On Tue, Jan 01, 2008 at 02:01:00PM +0000, Neil McGovern wrote: > Package: clamav > Version: 0.90.1-3etch7 > Severity: critical > Tags: security
This doesn't warrant an RC security bug. > Two new CVEs for clamav: > > Name: CVE-2007-6595 > Status: Candidate > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6595 > Reference: BUGTRAQ:20071229 TK53 Advisory #2: Multiple vulnerabilities in > ClamAV > Reference: > URL:http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded > Reference: BID:27064 > Reference: URL:http://www.securityfocus.com/bid/27064 > > ClamAV 0.92 allows local users to overwrite arbitrary files via a > symlink attack on (1) temporary files in the cli_gentempfd function in > libclamav/others.c or on (2) .ascii files in sigtool, when > utf16-decode is enabled. > > Name: CVE-2007-6596 > Status: Candidate > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6596 > Reference: BUGTRAQ:20071229 TK53 Advisory #2: Multiple vulnerabilities in > ClamAV > Reference: > URL:http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded > Reference: BID:27064 > Reference: URL:http://www.securityfocus.com/bid/27064 > > ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows > remote attackers to bypass the scanner via a Base64-UUEncoded file. > > I'd say ignore CVE-2007-6596, as clamav also doesn't recognise > insert-random-proprietary-encoding-here either, so it's not really a > valid issue (imo). I agree. > Tags for versions are: > CVE-2007-6595 isn't relevant for sarge, and only part (2) is in etch. > Lenny/sid affected fully. Support for Sarge has stopped, see latest DSA. These issues are rather harmless in the context of clamav. They'll be fixed when a future and more severe clamav issues pops up. (Which is quite likely given the history of clamav :-) Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
