Re: [Exim] FYI: clamav 0.65 remote DOS exploit

Top Page
Delete this message
Reply to this message
Author: Oliver Eikemeier
Date:  
To: eli-list
CC: exim-users
Subject: Re: [Exim] FYI: clamav 0.65 remote DOS exploit
Eli wrote:

> Oliver Eikemeier <> wrote:
>
>>>Description:
>>
>>It is trivial to crash clamd using a malformed uuencoded message,
>>resulting in a denial of service for all programs (e.g. exiscan-acl)
>>relying on clamd running. The message must only contain one uuencoded
>>line with an illegal line lenght, i.e. starting with a small letter.
>
>
> I am using a beta version of ClamAV and it does not contain this bug:
>
> [root@testunix!~] clamscan --mbox -v clamtest.mbox
> clamtest.mbox: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 20101
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> I/O buffer size: 131072 bytes
> Time: 0.565 sec (0 m 0 s)
> [root@testunix!~]
>
> clamscan / ClamAV version devel-20040114
>
> I believe I just took a daily snapshot and installed that. This is on a
> test server though, and has not yet hit production (although I have done
> some testing, and clamd has yet to crash).
>
> I didn't take the 0.65 stable version because if you look at the current
> ChangeLog for the development stuff, it's months and months ahead of 0.65
> (or was it close to years? I forget). There were tons of bug fixes and
> other changes mentioned and so I figured it'd be best to go for the latest
> than take the last so called "stable" release :)


Most people will run the release version on production servers. And some people even
use a packaged version (It seem to be fixed in the Debian packages). If it contains
known security issues they shouldn't call it stable, release an advisory and pull it
of their page. Hey, it's security software.

-Oliver