Arch Linux Security Advisory ASA-201505-2 ========================================= Severity: Medium Date : 2015-05-03 CVE-ID : CVE-2015-2170 CVE-2015-2221 CVE-2015-2222 CVE-2015-2305 CVE-2015-2668 Package : clamav Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package clamav before version 0.98.7-1 is vulnerable to denial of service and under certain circumstances on 32-bit platforms possibly arbitrary code execution. Resolution ========== Upgrade to 0.98.7-1. # pacman -Syu "clamav>=0.98.7-1" The problems have been fixed upstream in version 0.98.7. Workaround ========== None. Description =========== - CVE-2015-2170 (denial of service) A flaw has been found in the UPX decoder with crafted files. During unpacking there are two range checks which are implemented "manually". Those checks lack the detection of overflows which are considered by the CLI_ISCONTAINED() macro. - CVE-2015-2221 (denial of service) Y0da cryptor / protector is a PE file encryptor - the executable file is decrypted on start up. Clamav is able to decrypt such files in order to scan them. As part of the decryptor there is an op code emulator. A special crafted file may contain a jump op code to a position that already has been interpreted - which leads to an endless loop. This leads to an endless loop in clamav itself. - CVE-2015-2222 (denial of service) Petite is a tool for compressing PE files on windows. Clamav is a virus scanning tool which is able to unpack such files during scanning. Once the file has been identified as "petite" compressed before the decompressing process is started it is possible that a specially crafted file tells clamav to read more data than it allocated memory. On glibc it leads to SIGABRT on free() since glibc's malloc() recognizes this. - CVE-2015-2305 (arbitrary code execution) An upstream patch for possible heap overflow in Henry Spencer's regex library has been applied. The flaw is within an integer overflow in the regcomp implementation in the Henry Spencer regex library on 32-bit platforms, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. - CVE-2015-2668 (denial of service) A flaw has been discovered that is leading to an infinite loop condition on a crafted "xz" archive file. Impact ====== A remote attacker is able to use specially crafted files that are leading to denial of service when scanned by Clamav. Additionally it may be possible to execute arbitrary code on 32-bit platforms under certain circumstances. References ========== http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html https://access.redhat.com/security/cve/CVE-2015-2170 https://access.redhat.com/security/cve/CVE-2015-2221 https://access.redhat.com/security/cve/CVE-2015-2222 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2305 https://access.redhat.com/security/cve/CVE-2015-2668