-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:189-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : clamav Date : September 17, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities were discovered in ClamAV and corrected with the 0.94 release, including: A vulnerability in ClamAV's chm-parser allowed remote attackers to cause a denial of service (application crash) via a malformed CHM file (CVE-2008-1389). A vulnerability in libclamav would allow attackers to cause a denial of service via vectors related to an out-of-memory condition (CVE-2008-3912). Multiple memory leaks were found in ClamAV that could possibly allow attackers to cause a denial of service via excessive memory consumption (CVE-2008-3913). A number of unspecified vulnerabilities in ClamAV were reported that have an unknown impact and attack vectors related to file descriptor leaks (CVE-2008-3914). Other bugs have also been corrected in 0.94 which is being provided with this update. Because this new version has increased the major of the libclamav library, updated dependent packages are also being provided. Update: The previous update had experimental support enabled, which caused ClamAV to report the version as 0.94-exp rather than 0.94, causing ClamAV to produce bogus warnings about the installation being outdated. This update corrects that problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3912 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3913 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3914 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 0a25d62f32a3c966ee9e76c432a8f66c 2007.1/i586/clamav-0.94-1.2mdv2007.1.i586.rpm 1d09a763a87cec980197a08b2f35165e 2007.1/i586/clamav-db-0.94-1.2mdv2007.1.i586.rpm 38722d74b8b0d3dc4b74fc52a54dbfb2 2007.1/i586/clamav-milter-0.94-1.2mdv2007.1.i586.rpm 89dd6d42f8589ce2875d5084cb071c9f 2007.1/i586/clamd-0.94-1.2mdv2007.1.i586.rpm 801c2876daf733a9025c10901c7405e4 2007.1/i586/libclamav5-0.94-1.2mdv2007.1.i586.rpm 33987a0962f91d2a2628d973f5d0de94 2007.1/i586/libclamav-devel-0.94-1.2mdv2007.1.i586.rpm c99406a567c644554d94097e01f41c8d 2007.1/SRPMS/clamav-0.94-1.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 06e233d27087cd7145eb75fc9550b066 2007.1/x86_64/clamav-0.94-1.2mdv2007.1.x86_64.rpm fbd81101cd1c69678aec16dd3d9bfb98 2007.1/x86_64/clamav-db-0.94-1.2mdv2007.1.x86_64.rpm e63b3498b5bb80f7072a10bad3151635 2007.1/x86_64/clamav-milter-0.94-1.2mdv2007.1.x86_64.rpm 7d921405d8a9c644485fc9678c82d8ca 2007.1/x86_64/clamd-0.94-1.2mdv2007.1.x86_64.rpm 1e59d172b59333bc6be9ae19a7ff048c 2007.1/x86_64/lib64clamav5-0.94-1.2mdv2007.1.x86_64.rpm 535fa5c7bd6c3fd47395646eacb981fc 2007.1/x86_64/lib64clamav-devel-0.94-1.2mdv2007.1.x86_64.rpm c99406a567c644554d94097e01f41c8d 2007.1/SRPMS/clamav-0.94-1.2mdv2007.1.src.rpm Mandriva Linux 2008.0: 1f635668a04c527f0d28e7c91a052b6c 2008.0/i586/clamav-0.94-1.2mdv2008.0.i586.rpm 7fbbe9d76f899b145c8b09c249f3ffb6 2008.0/i586/clamav-db-0.94-1.2mdv2008.0.i586.rpm ee15c45dfb4a21cf06ed93909bc414c7 2008.0/i586/clamav-milter-0.94-1.2mdv2008.0.i586.rpm f85888d63c8cc6e9dd5a869e002af304 2008.0/i586/clamd-0.94-1.2mdv2008.0.i586.rpm b0f807f3a60eae7832948cd6dd8e3a85 2008.0/i586/libclamav5-0.94-1.2mdv2008.0.i586.rpm bbd10195c02e49e2261e2860766f48d9 2008.0/i586/libclamav-devel-0.94-1.2mdv2008.0.i586.rpm da6badadd19fe759da6f97acf6dde724 2008.0/SRPMS/clamav-0.94-1.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: e0748f08124aa8fc792518365100fed4 2008.0/x86_64/clamav-0.94-1.2mdv2008.0.x86_64.rpm 0827a1bce7f2c1c9467a1f5994fdfd7a 2008.0/x86_64/clamav-db-0.94-1.2mdv2008.0.x86_64.rpm 04b1282f274807a33ad263df59b4389b 2008.0/x86_64/clamav-milter-0.94-1.2mdv2008.0.x86_64.rpm 7a33a3c2d8df1302961357c33f31aa01 2008.0/x86_64/clamd-0.94-1.2mdv2008.0.x86_64.rpm 224ef1a262ba636eebde7b6c6546193b 2008.0/x86_64/lib64clamav5-0.94-1.2mdv2008.0.x86_64.rpm 15a54bf32c973541f1a8735b5903a847 2008.0/x86_64/lib64clamav-devel-0.94-1.2mdv2008.0.x86_64.rpm da6badadd19fe759da6f97acf6dde724 2008.0/SRPMS/clamav-0.94-1.2mdv2008.0.src.rpm Mandriva Linux 2008.1: f1defff29a6d692f2913edc7840c89b5 2008.1/i586/clamav-0.94-1.2mdv2008.1.i586.rpm ffd2188b88f3ce2af39a8e2d02f70307 2008.1/i586/clamav-db-0.94-1.2mdv2008.1.i586.rpm a855ea77c14c21d0b08a6f35fbc431cf 2008.1/i586/clamav-milter-0.94-1.2mdv2008.1.i586.rpm 6d040d3d0906012d3c6bf41d0ce6e3c1 2008.1/i586/clamd-0.94-1.2mdv2008.1.i586.rpm 4adf8469ae3d38f690460cc3ef89ddb7 2008.1/i586/libclamav5-0.94-1.2mdv2008.1.i586.rpm fa13d072d57822120067452f2bc2d47c 2008.1/i586/libclamav-devel-0.94-1.2mdv2008.1.i586.rpm d78d086eb67f6d0d1c13e13a4174e877 2008.1/SRPMS/clamav-0.94-1.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: a9c4faa916ea297fa29e242bab8dd110 2008.1/x86_64/clamav-0.94-1.2mdv2008.1.x86_64.rpm 3e6928a776118f41c2859518279d054c 2008.1/x86_64/clamav-db-0.94-1.2mdv2008.1.x86_64.rpm e4109c12e3abfb8cf3e2a27d074aa4ba 2008.1/x86_64/clamav-milter-0.94-1.2mdv2008.1.x86_64.rpm ab64deee18ef690dad6cd4bd623a92cf 2008.1/x86_64/clamd-0.94-1.2mdv2008.1.x86_64.rpm 2c5f8ddb78d43e40560a3d00a66d4b6f 2008.1/x86_64/lib64clamav5-0.94-1.2mdv2008.1.x86_64.rpm 5e84438f5e1ce2e5a54e0c84c2ddc638 2008.1/x86_64/lib64clamav-devel-0.94-1.2mdv2008.1.x86_64.rpm d78d086eb67f6d0d1c13e13a4174e877 2008.1/SRPMS/clamav-0.94-1.2mdv2008.1.src.rpm Corporate 3.0: f9ebd8551b792fb9eb74af864cdc358f corporate/3.0/i586/clamav-0.94-0.2.C30mdk.i586.rpm 6591ae6e2d0344ef711ad3adb35f1280 corporate/3.0/i586/clamav-db-0.94-0.2.C30mdk.i586.rpm a52d8773f590d90105fcdbce90ea49f7 corporate/3.0/i586/clamav-milter-0.94-0.2.C30mdk.i586.rpm d433e471fdc1b4b3c89374af62222053 corporate/3.0/i586/clamd-0.94-0.2.C30mdk.i586.rpm 19608ef8cfdbb2784bf7deae90c67bbe corporate/3.0/i586/libclamav5-0.94-0.2.C30mdk.i586.rpm ea06cf7a5ce38bfb4e543fecf8fabdd5 corporate/3.0/i586/libclamav-devel-0.94-0.2.C30mdk.i586.rpm 4b1e8ef2379e85f21551f95a94f1a8e5 corporate/3.0/SRPMS/clamav-0.94-0.2.C30mdk.src.rpm Corporate 3.0/X86_64: 8a2a43d7821522d700bb3f63c966a104 corporate/3.0/x86_64/clamav-0.94-0.2.C30mdk.x86_64.rpm 604d398be060c7f431a792b4d0757a8b corporate/3.0/x86_64/clamav-db-0.94-0.2.C30mdk.x86_64.rpm b122a52e8e55edcf92ab86eb9ee3610c corporate/3.0/x86_64/clamav-milter-0.94-0.2.C30mdk.x86_64.rpm 0c3467a14808f500debc3cc942567263 corporate/3.0/x86_64/clamd-0.94-0.2.C30mdk.x86_64.rpm 65b9975e084064ce95106e50e2fd4f4e corporate/3.0/x86_64/lib64clamav5-0.94-0.2.C30mdk.x86_64.rpm c8ab52b74b1588aecb8154dfa3f5d648 corporate/3.0/x86_64/lib64clamav-devel-0.94-0.2.C30mdk.x86_64.rpm 4b1e8ef2379e85f21551f95a94f1a8e5 corporate/3.0/SRPMS/clamav-0.94-0.2.C30mdk.src.rpm Corporate 4.0: ac6b9ccf86d24c75378af4b6d9ebc7ae corporate/4.0/i586/clamav-0.94-0.2.20060mlcs4.i586.rpm 277a27113deb3918357f23cc22f0be03 corporate/4.0/i586/clamav-db-0.94-0.2.20060mlcs4.i586.rpm 030871f92c0a0810ce1d6ebef3b79281 corporate/4.0/i586/clamav-milter-0.94-0.2.20060mlcs4.i586.rpm 62928c90ddc3231a74dd4d22e5b978b2 corporate/4.0/i586/clamd-0.94-0.2.20060mlcs4.i586.rpm 361666d642f123a6753432feb4929903 corporate/4.0/i586/libclamav5-0.94-0.2.20060mlcs4.i586.rpm 52cda54b2fa72df9117f6a6948583ee6 corporate/4.0/i586/libclamav-devel-0.94-0.2.20060mlcs4.i586.rpm 7021edb359916cfa3fb30543ea370aa8 corporate/4.0/SRPMS/clamav-0.94-0.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 68ac788288dc16c43fc223df3899917b corporate/4.0/x86_64/clamav-0.94-0.2.20060mlcs4.x86_64.rpm de6d27c00958e9bdd0d66ff43f97ee10 corporate/4.0/x86_64/clamav-db-0.94-0.2.20060mlcs4.x86_64.rpm b0a7ba23f28b62c17306479d64ad6a22 corporate/4.0/x86_64/clamav-milter-0.94-0.2.20060mlcs4.x86_64.rpm fdf85b763af44d15efe62a5b65c2c381 corporate/4.0/x86_64/clamd-0.94-0.2.20060mlcs4.x86_64.rpm 247599c92852bba5467f544f3aac0e2b corporate/4.0/x86_64/lib64clamav5-0.94-0.2.20060mlcs4.x86_64.rpm 46f8956577297aff1086ecdf1b19209b corporate/4.0/x86_64/lib64clamav-devel-0.94-0.2.20060mlcs4.x86_64.rpm 7021edb359916cfa3fb30543ea370aa8 corporate/4.0/SRPMS/clamav-0.94-0.2.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFI0T3umqjQ0CJFipgRAsxbAJwLv/XtQ4i4u9Ub3e1weYDutjKwQQCfcpP/ hg0ASUdC8aRKpTDiW8eOW9A= =zpXC -----END PGP SIGNATURE-----