Technical Description

Multiple vulnerabilities were identified in Clam AntiVirus (ClamAV), which may be exploited by attackers and/or malware to execute arbitrary commands.

The first issue is due to an integer overflow error in the "tnef_attachment()" and "tnef_message()" [tnef.c] functions that do not properly handle a negative "length" value, which could be exploited by remote attackers to execute arbitrary commands by sending, to a vulnerable application, a specially crafted email containing a malicious TNEF file.

The second flaw is due to an integer overflow error in the "read_chunk_entries()" [chmunpack.c] function that does not properly handle a negative "length" value, which could be exploited by remote attackers to execute arbitrary commands by sending, to a vulnerable application, a specially crafted email containing a malicious CHM file.

The third vulnerability is due to an integer overflow error in the "unfsg()" [fsg.c] function that does not properly handle negative "backbytes" and "backsize" values, which could be exploited by remote attackers to execute arbitrary commands by sending, to a vulnerable application, a specially crafted email containing a malicious FSG file.

Affected Products

Clam Antivirus (ClamAV) version 0.86.1 and prior

Solution

Upgrade to Clam Antivirus (ClamAV) version 0.86.2 :
http://sourceforge.net/project/showfiles.php?group_id=86638&release_id=344514

References

http://www.vupen.com/english/advisories/2005/1201
http://www.rem0te.com/public/images/clamav.pdf
http://sourceforge.net/project/shownotes.php?release_id=344514

Credits

Vulnerabilities reported by Neel Mehta and Alex Wheeler

ChangeLog

2005-07-25 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts with CVE, CWE, and CVSS when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.