[Kolab-devel] Kolab Security Issue 22 (clamav)

Sascha Wilde wilde at intevation.de
Thu Sep 11 16:23:53 CEST 2008 

Kolab Security Issue 22 20080911
================================

Package:              Kolab Server, ClamAV
Vulnerability:        denial of service
Kolab Specific:       no
Dependent Packages:   none


Summary
~~~~~~~

Various unspecified memory corruption vulnerabilities and a bug in the
chm parser allowed remote attackers to cause a denial of service.
Further unknown attack vectors might exist.


Affected Versions
~~~~~~~~~~~~~~~~~

This affects versions of ClamAV up to version 0.93.1
Kolab Server 2.1.0 and previous releases of the 2.1 branch are affected.
Kolab Server 2.0.4 and previous releases of the 2.0 branch are affected.
Kolab Server 2.2.0 and previous prereleases are affected.


Fix
~~~

Upgrade to ClamAV 0.94.

The ClamAV source RPM patched to be compilable with Kolab Server 2.1 and 2.0
is available from the Kolab download mirrors as:
security-updates/20080911/clamav-0.94-20080905_kolab.src.rpm

For Kolab Server 2.2.0 the unmodified OpenPKG rpm can be used:
security-updates/20080911/clamav-0.94-20080905.src.rpm

A binary RPM for Kolab Server 2.1.0 (ix86 Debian GNU/Linux Sarge) is available:
security-updates/20080911/clamav-0.94-20080905_kolab.ix86-debian3.1-kolab.rpm

A binary RPM for Kolab Server 2.2.0 (ix86 Debian GNU/Linux Etch) 
is available from:
security-updates/20080911/clamav-0.94-20080905_kolab.ix86-debian4.0-kolab.rpm

All other server versions: Please build from the src.rpm.


The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905_kolab.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905_kolab.ix86-debian3.1-kolab.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905.src.rpm .
# rsync -tvP rsync://rsync.kolab.org/kolab/server/security-updates/20080911/clamav-0.94-20080905.ix86-debian4.0-kolab.rpm .

MD5 sums:
35acf995ef8927a8ea76afb8502eb648  clamav-0.94-20080905.ix86-debian4.0-kolab.rpm
0b6be1bf21deef9de8582a56d330aaef  clamav-0.94-20080905.src.rpm
67ffd197c991b5d1dc83520a91b5ff57  clamav-0.94-20080905_kolab.ix86-debian3.1-kolab.rpm
0b7d3a2a22f9a2c2e12bc0b14cc3b800  clamav-0.94-20080905_kolab.src.rpm


The package can be installed on your Kolab Server with

# /kolab/bin/openpkg rpm --rebuild clamav-0.93.1-20080610_kolab.src.rpm
# /kolab/bin/openpkg rpm \
  -Uvh /kolab/RPM/PKG/clamav-0.93.1-20080610_kolab.<ARCH>-<OS>-kolab.rpm
# rm /kolab/etc/clamav/*.rpmsave
# /kolab/bin/openpkg rc clamav stop
# /kolab/bin/openpkg rc clamav start
# su - kolab-r
$ freshclam
$ rm -r /kolab/share/clamav/*.inc

For Kolab Server 2.0.4 you have to copy the new /kolab/etc/clamav/clamd.conf
to /kolab/etc/kolab/templates/clamd.conf.template so it will not be
overwritten by kolabconf. Do NOT copy this file with Kolab Server 2.1 or 2.2!


Details
~~~~~~~

http://sourceforge.net/project/shownotes.php?release_id=623661&group_id=86638
	ClamAV 0.94 release notes

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1389
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1089
	clamav chm handler: crasher bugs

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3912
http://www.securityfocus.com/bid/31051
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1141
	DOS related to out-of-memory in libclamav

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3913
http://www.securityfocus.com/bid/31051
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1141
	DOS caused by multiple memory leaks in freshclam/manager.c

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3914
http://www.securityfocus.com/bid/31051
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1141
	Multiple unspecified vulnerabilities with unknown impact

Timeline
~~~~~~~~
    20080902 ClamAV release 0.94.
    20080905 OpenPKG 0.94 package release.
    20080905 Kolab Bug Tracker Issue created.
    20080611 Kolab Server security advisory published.

-- 
Sascha Wilde                                      OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück             http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998             http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/devel/attachments/20080911/ce7a05d0/attachment.sig>

More information about the devel mailing list