Vulnerabilities in ClamAV fixed
ClamAV open source anti-virus software version 0.92.1 has been released. It contains fixes for a number of security vulnerabilities which could be exploited by attackers to remotely inject and execute malicious code.
The release notes on the Sourceforge servers state that the developers have fixed a potential integer overflow when processing executable files in PE format. According to a security advisory from security services provider iDefense, the software fails to check values from PE files when processing them. This failure can be exploited to cause an integer overflow and thereby execute injected code. Another bug can be exploited when processing executable MEW-PE files to trigger a buffer overflow on the heap.
The release notes give no indication that the security vulnerabilities discovered in early January are fixed in the latest version. These can be exploited by local users to escalate their privileges. Attackers can guess the pseudo-random file names used when scanning, create their own files with these names in the folder and thus attain the write privileges of the user who started ClamAV - in the worst case
root. ClamAV 0.92.1 also fails to include a decoder for Base64 UUEncoded files. A bug in Sigtool that allows a symlink attack to overwrite some files also appears not to have been fixed. The risk from these three vulnerabilities is, however, classified as low.
Because ClamAV is frequently deployed to scan e-mail traffic on gateway servers, attackers can exploit the vulnerabilities to execute malicious code by sending e-mails with crafted attachments. ClamAV users should install the update immediately. Linux distributors should be distributing updated packages shortly.
The patent dispute over the deployment of ClamAV on gateway servers between Trend Micro and Barracuda Networks has yet to be concluded, but Dutch civil rights organisation Scriptum libre has leapt to Barracuda Networks' defence and called for a boycott of Trend Micro products. Under the slogan "Would you do business with a company that would sue you for using a competitors product?", the organisation suggests boycotting Trend Micro products and provides a banner which supporters can place on their websites. On its campaign website the organisation compares Trend Micro with SCO. It asserts that, like SCO, Trend Micro has gone beyond the pale of decent and honourable commerce, has become a leper company and needs to be punished.
- Release Name: 0.92.1, release notes on ClamAV 0.92.1 * ClamAV libclamav PE File Integer Overflow Vulnerability, security advisory from iDefense