---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 51-1 http://volatile.debian.org
debian-volatile@lists.debian.org Stephen Gran
Dec 11, 2008
---------------------------------------------------------------------------
Package : clamav
Version : 0.94.dfsg.2-1~volatile1
Importance : medium
CVE IDs : CVE-2008-5050 CVE-2008-5314
The following security flaws were found and fixed in clamav:
CVE-2008-5050
Off-by-one error in the get_unicode_name function
(libclamav/vba_extract.c) in Clam Anti-Virus (ClamAV) before 0.94.1
allows remote attackers to cause a denial of service (crash) or
possibly execute arbitrary code via a crafted VBA project file,
which triggers a heap-based buffer overflow.
CVE-2008-5314
Stack consumption vulnerability in libclamav/special.c in
ClamAV before 0.94.2 allows remote attackers to cause a denial
of service (daemon crash) via a crafted JPEG file, related
to the cli_check_jpeg_exploit, jpeg_check_photoshop, and
jpeg_check_photoshop_8bim functions.
If you use clamav, we recommend you upgrade to this version.
Upgrade Instructions
--------------------
You can get the updated packages at
http://volatile.debian.org/debian-volatile/pool/volatile/main/c/clamav
and install them with dpkg, or add
deb http://volatile.debian.org/debian-volatile etch/volatile main
deb-src http://volatile.debian.org/debian-volatile etch/volatile main
to your /etc/apt/sources.list. You can also use any of our mirrors. See
http://www.debian.org/volatile/volatile-mirrors for the full list of
mirrors. The archive signing keys can be downloaded from
http://volatile.debian.org/ziyi-etch.asc and additionaly was included in
the stable point release r1 in Debian Etch.
For further information about debian-volatile, please refer to
http://www.debian.org/volatile/.
If there are any issues, please don't hesitate to get in touch with the
debian-volatile team.