Updated: clamav-0.90.3-1

Reini Urban rurban@x-ray.at
Sat Jun 16 17:59:00 GMT 2007

The cygwin clamav packages (Clam AntiVirus - GPL anti-virus toolkit) has
been updated to 0.90.3-1.

Several vulnerabilities were discovered in ClamAV by various

* Victor Stinner (INL) discovered that the OLE2 parser may enter in
   an infinite loop (CVE-2007-2650).

* A boundary error was also reported by an anonymous researcher in
   the file unsp.c, which might lead to a buffer overflow

* The file unrar.c contains a heap-based buffer overflow via a
   modified vm_codesize value from a RAR file (CVE-2007-3123).

* The RAR parsing engine can be bypassed via a RAR file with a header
   flag value of 10 (CVE-2007-3122).

* The cli_gentempstream() function from clamdscan creates temporary
   files with insecure permissions (CVE-2007-3024).


A remote attacker could send a specially crafted file to the scanner,
possibly triggering one of the vulnerabilities. The two buffer
overflows are reported to only cause Denial of Service. This would lead
to a Denial of Service by CPU consumption or a crash of the scanner.
The insecure temporary file creation vulnerability could be used by a
local user to access sensitive data.


All ClamAV users should upgrade to the latest version 0.90.3-1


   [ 1 ] CVE-2007-2650
   [ 2 ] CVE-2007-3023
   [ 3 ] CVE-2007-3024
   [ 4 ] CVE-2007-3122
   [ 5 ] CVE-2007-3123

Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multi-threaded
daemon, a commandline scanner, and a tool for automatic updating via
Internet. The programs are based on a shared library distributed with
the Clam AntiVirus package, which you can use in your own software.

See http://freshmeat.net/projects/clamav/

The clamav package comes in three parts:

clamav:      the executables and binaries
libclamav2:  the shared library since 0.90.1
libclamav-devel: development resources (headers, static- and import

Cygwin Package Changes:
fixed mbox.c
fixed BUILD_CLAMD in cygwin configure logic (again)
re-applied broken DIRENT_MISSING_D_INO patch


To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.


If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:


If you need more information on unsubscribing, start reading here:


Please read *all* of the information on unsubscribing that is available
starting at this URL.

More information about the Cygwin-announce mailing list