thomas: doc/www/src/security kolab-vendor-notice-23.txt,NONE,1.1

cvs at kolab.org cvs at kolab.org
Tue Dec 2 18:27:49 CET 2008


Author: thomas

Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv1437

Added Files:
	kolab-vendor-notice-23.txt 
Log Message:
Kolab Security Issue 23 20081202 (clamav)


--- NEW FILE: kolab-vendor-notice-23.txt ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kolab Security Issue 23 20081202
================================

Package:              Kolab Server, ClamAV
Vulnerability:        various
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

Moritz Jodeit reports that ClamAV up to version 0.94 contains an
off-by-one heap overflow vulnerability in the code responsible for
parsing VBA project files. Successful exploitation could allow an
attacker to execute arbitrary code with the privileges of the `clamd'
process by sending an email with a prepared attachment.

Ilja Van Sprundel reported a denial-of-service vulnerability and an
unconfirmed possibility to run arbitrary code in ClamAV up to version
0.94.1 by sending malformed JPEG files.


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of ClamAV up to version 0.94.1
Kolab Server 2.2.0 and previous prereleases are affected.
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected.


Fix
~~~

Upgrade to ClamAV 0.94.2.

The ClamAV source RPM for Kolab Server 2.2, 2.1 and 2.0
is available from the Kolab download mirrors as:
security-updates/20081202/clamav-0.94.2-20081202.src.rpm

A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available:
security-updates/20081202/clamav-0.94.2-20081202.ix86-debian3.1-kolab.rpm

A binary RPM for Kolab Server 2.2.0 (ix86 Debian GNU/Linux Etch)
is available from:
security-updates/20081202/clamav-0.94.2-20081202_kolab.ix86-debian4.0-kolab.rpm

All other server versions: Please build from the src.rpm.


The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20081202/clamav-0.94.2-20081202.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20081202/clamav-0.94.2-20081202.ix86-debian3.1-kolab.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20081202/clamav-0.94.2-20081202.ix86-debian4.0-kolab.rpm .

MD5 sums:
bd4aaba0b5dc0c4c7349fd3418326534  clamav-0.94.2-20081202.src.rpm
4e1efcb88af5ab6538560be9ee618ca0  clamav-0.94.2-20081202.ix86-debian3.1-kolab.rpm
0fe61493cfc48dda972844e455867f8e  clamav-0.94.2-20081202.ix86-debian4.0-kolab.rpm


The package can be installed on your Kolab Server with

# /kolab/bin/openpkg rpm --rebuild clamav-0.94.2-20081202.src.rpm
# /kolab/bin/openpkg rpm \
  -Uvh /kolab/RPM/PKG/clamav-0.94.2-20081202.<ARCH>-<OS>-kolab.rpm
# rm /kolab/etc/clamav/*.rpmsave
# /kolab/bin/openpkg rc clamav stop
# /kolab/bin/openpkg rc clamav start
# su - kolab-r
$ freshclam
$ rm -r /kolab/share/clamav/*.inc

For Kolab Server 2.0.4 you have to copy the new /kolab/etc/clamav/clamd.conf
to /kolab/etc/kolab/templates/clamd.conf.template so it will not be
overwritten by kolabconf. Do NOT copy this file with Kolab Server 2.1 or 2.2!


Details
~~~~~~~

http://sourceforge.net/project/shownotes.php?release_id=637952&group_id=86638
	ClamAV 0.94.1 release notes

http://lists.grok.org.uk/pipermail/full-disclosure/2008-November/065530.html
	Vulnerability description: ClamAV get_unicode_name() off-by-one buffer overflow

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1239
	ClamAV bug tracker entry for above vulnerability (not yet publicly available)

http://sourceforge.net/project/shownotes.php?release_id=643134&group_id=86638
	ClamAV 0.94.2 release notes

http://www.securityfocus.com/bid/32555
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1266
	ClamAV 'cli_check_jpeg_exploit' Function Malformed JPEG File Remote Denial Of Service Vulnerability


Timeline
~~~~~~~~
    20081016 Moritz Jodeit reports vulnerability to ClamAV vendor.
    20081103 ClamAV release 0.94.1.
    20081109 Moritz Jodeit publishes vulnerability fixed in 0.94.1.
    20081126 ClamAV release 0.94.2.
    20081201 Bugtraq ID 32555 published for problem fixed in 0.94.2.
    20081202 Kolab Server security advisory published.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJNW/5W7P1GVgWeRoRAjICAKCWjBTT098TGz7+ZJFXweJ2HGzcVwCgnaKS
fuVfUyvZ8jM9tcxnr/xq8Ec=
=IH9x
-----END PGP SIGNATURE-----





More information about the commits mailing list