Vulnerability closed in ClamAV 0.94.1
In version 0.94.1 of the open source ClamAV virus scanner, which was released at the end of October, the developers closed a vulnerability that allowed denial of service attacks on the scanner. According to Moritz Jodeit, the problem is caused by an off-by-one heap overflow in the
get_unicode_name function in
libclamav/vba_extract.c. It is usually not possible to directly inject and execute arbitrary code using an off-by-one buffer overflow, as typically only one single byte is overwritten in the process. This may be used to offset a function pointer, so that attackers can still potentially exploit the hole for executing their own code.
The flaw can cause the Clamd service to crash, which can present a threat especially for mail gateways. It occurs when parsing specially crafted VBA project files. ClamAV versions up to and including 0.94 are addected
- ClamAV get_unicode_name() off-by-one buffer overflow, vulnerability description by Moritz Jodeit