Bugs in ClamAV and SpamAssassin fixed

The developers of ClamAV and SpamAssassin, filter programs for viruses and spam respectively, have released bug-fixed versions. ClamAV prior to version 0.90 and SpamAssassin prior to version 3.18 could be made to crash using manipulated e-mails. In addition, an attacker might be able to overwrite files on servers running older versions of ClamAV using e-mails. The new versions fix these problems.

According to security services provider iDefense, repeated processing of CAB archives with a record length of zero in the header by vulnerable versions of ClamAV can lead to a situation in which the software runs out of free file descriptors and is no longer able to scan inside various archive types. Depending on the mail server software used, the system may stop accepting e-mails containing affected archives - which include ZIP files.

In addition, e-mails with strings such as "../../../" in the id field of the MIME header may not end up in the intended temporary directory. An attacker could exploit this directory traversal to overwrite files for which the ClamAV process has write privileges with the contents of manipulated e-mails.

SpamAssassin, according to the change log, apparently stumbles over overlong URLs in e-mails which can cause it to crash. This can also, depending on the mail server used and the configuration, lead to non-delivery of legitimate e-mails. Mail server administrators should update their ClamAV or SpamAssassin installations at the next available opportunity.

See also:

• Multiple Vendor ClamAV CAB File Denial of Service Vulnerability, advisory from iDefense
• Multiple Vendor ClamAV MIME Parsing Directory Traversal Vulnerability, advisory from iDefense
• Apache SpamAssassin 3.1.8 available!, announcement and change log from the SpamAssassin developers

(ehe)