[arch-security] [ASA-201505-2] clamav: multiple issues

Levente Polyak anthraxx at archlinux.org
Sun May 3 22:57:38 UTC 2015


Arch Linux Security Advisory ASA-201505-2
=========================================

Severity: Medium
Date    : 2015-05-03
CVE-ID  : CVE-2015-2170 CVE-2015-2221 CVE-2015-2222 CVE-2015-2305
          CVE-2015-2668
Package : clamav
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package clamav before version 0.98.7-1 is vulnerable to denial of
service and under certain circumstances on 32-bit platforms possibly
arbitrary code execution.

Resolution
==========

Upgrade to 0.98.7-1.

# pacman -Syu "clamav>=0.98.7-1"

The problems have been fixed upstream in version 0.98.7.

Workaround
==========

None.

Description
===========

- CVE-2015-2170 (denial of service)

A flaw has been found in the UPX decoder with crafted files. During
unpacking there are two range checks which are implemented "manually".
Those checks lack the detection of overflows which are considered by the
CLI_ISCONTAINED() macro.

- CVE-2015-2221 (denial of service)

Y0da cryptor / protector is a PE file encryptor - the executable file is
decrypted on start up. Clamav is able to decrypt such files in order to
scan them. As part of the decryptor there is an op code emulator. A
special crafted file may contain a jump op code to a position that
already has been interpreted - which leads to an endless loop. This
leads to an endless loop in clamav itself.

- CVE-2015-2222 (denial of service)

Petite is a tool for compressing PE files on windows. Clamav is a virus
scanning tool which is able to unpack such files during scanning. Once
the file has been identified as "petite" compressed before the
decompressing process is started it is possible that a specially crafted
file tells clamav to read more data than it allocated memory. On glibc
it leads to SIGABRT on free() since glibc's malloc() recognizes this.

- CVE-2015-2305 (arbitrary code execution)

An upstream patch for possible heap overflow in Henry Spencer's regex
library has been applied. The flaw is within an integer overflow in the
regcomp implementation in the Henry Spencer regex library on 32-bit
platforms, might allow context-dependent attackers to execute arbitrary
code via a large regular expression that leads to a heap-based buffer
overflow.

- CVE-2015-2668 (denial of service)

A flaw has been discovered that is leading to an infinite loop condition
on a crafted "xz" archive file.

Impact
======

A remote attacker is able to use specially crafted files that are
leading to denial of service when scanned by Clamav. Additionally it may
be possible to execute arbitrary code on 32-bit platforms under certain
circumstances.

References
==========

http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html
https://access.redhat.com/security/cve/CVE-2015-2170
https://access.redhat.com/security/cve/CVE-2015-2221
https://access.redhat.com/security/cve/CVE-2015-2222
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2305
https://access.redhat.com/security/cve/CVE-2015-2668

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150504/9bd0767b/attachment.asc>


More information about the arch-security mailing list