Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

To: debian-volatile@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
From: Dominic Hargreaves <dom@earth.li>
Date: Fri, 5 Dec 2008 18:15:05 +0000
Message-id: <[🔎] 20081205181504.GD1531@urchin.earth.li>
In-reply-to: <87r64os5w6.fsf@mid.deneb.enyo.de>
References: <87r64os5w6.fsf@mid.deneb.enyo.de>

On Thu, Dec 04, 2008 at 09:26:17AM +0100, Florian Weimer wrote:

> Moritz Jodeit discovered that ClamAV, an anti-virus solution, suffers
> from an off-by-one-error in its VBA project file processing, leading to
> a heap-based buffer overflow and potentially arbitrary code execution
> (CVE-2008-5050).
> 
> Ilja van Sprundel discovered that ClamAV contains a denial of service
> condition in its JPEG file processing because it does not limit the
> recursion depth when processing JPEG thumbnails (CVE-2008-5314).
> 
> For the stable distribution (etch), these problems have been fixed in
> version 0.90.1dfsg-4etch16.
> 
> For the unstable distribution (sid), these problems have been fixed in
> version 0.94.dfsg.2-1.

This looks like quite a serious bug (remote arbitrary code execution).
Are there any plans for an update to volatile?

Thanks,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
  - From: Török Edwin <edwintorok@gmail.com>
- Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
  - From: Michael Tautschnig <mt@debian.org>

Prev by Date: Re: Lenny/Violatile is Stable?
Next by Date: Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
Previous by thread: Re: Lenny/Violatile is Stable?
Next by thread: Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
Index(es):
- Date
- Thread