This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[ANNOUNCEMENT] Updated: clamav-0.91.2-1 SECURITY

The cygwin clamav packages (Clam AntiVirus - GPL anti-virus toolkit)
has been updated to 0.91.2-1.
This is a SECURITY update: Gentoo Linux Security Advisory GLSA 200709-14

Vulnerabilities have been discovered in ClamAV allowing remote
execution of arbitrary code and Denial of Service attacks.


Nikolaos Rangos discovered a vulnerability in ClamAV which exists
because the recipient address extracted from email messages is not
properly sanitized before being used in a call to "popen()" when
executing sendmail (CVE-2007-4560). Also, NULL-pointer dereference
errors exist within the "cli_scanrtf()" function in libclamav/rtf.c and
Stefanos Stamatis discovered a NULL-pointer dereference vulnerability
within the "cli_html_normalise()" function in libclamav/htmlnorm.c


The unsanitized recipient address can be exploited to execute arbitrary
code with the privileges of the clamav-milter process by sending an
email with a specially crafted recipient address to the affected
system. Also, the NULL-pointer dereference errors can be exploited to
crash ClamAV. Successful exploitation of the latter vulnerability
requires that clamav-milter is started with the "black hole" mode
activated, which is not enabled by default.


  [ 1 ] CVE-2007-4510
  [ 2 ] CVE-2007-4560

Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a commandline scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
the Clam AntiVirus package, which you can use in your own software.


The clamav package comes in three parts:

clamav:      the executables and binaries
libclamav2:  the shared library since 0.90.1
libclamav-devel: development resources (headers, static- and import

Cygwin Package Changes:
* none


To update your installation, click on the "Install Cygwin now" link on
the web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.


If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

If you need more information on unsubscribing, start reading here:

Please read *all* of the information on unsubscribing that is available
starting at this URL.

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]