Ubuntu
clamav package

heap corruption before 0.92.1

Bug #213500 reported by Leonel Nunez
258
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Fix Released
Medium
Leonel Nunez
Feisty
Fix Released
Medium
Unassigned
Gutsy
Fix Released
Medium
Unassigned

Bug Description

The unmew11 function in libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption."

Scott Kitterman (kitterman)
Changed in clamav:
assignee: nobody → kitterman
status: New → In Progress
Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Gutsy Debdiff Applies builds fine with pbuilder
installed and tested no errors found

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

This is for CVE-2008-0728

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Feisty Debdiff Applies and builds fine with pbuilder
installed and tested no errors found

Revision history for this message
Scott Kitterman (kitterman) wrote :

Does not apply to 0.92.1.

Changed in clamav:
assignee: nobody → leonelnunez
status: New → Confirmed
importance: Undecided → Medium
status: New → Confirmed
importance: Undecided → Medium
importance: Undecided → Medium
status: New → Confirmed
assignee: kitterman → nobody
status: In Progress → Invalid
Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Dapper debdiff applies and builds with pbuilder
instaled and tested all fine

Jamie Strandboge (jdstrand)
Changed in clamav:
status: Confirmed → In Progress
status: Confirmed → In Progress
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Leonel, the debdiff does not update 00list so the patch does not get applied during the build. Please retest Dapper by adding 28_mew.c.CVE-2008-0728.dpatch to debian/patches/00list.

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 213500] Re: heap corruption before 0.92.1

... or we just copy from dapper-backports to dapper-security/updates and
we're using the already tested configuration.

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Don't know why didn't got included the first time ..
Here is the debdiff updated

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

there's one error on build time
with that last debdiff ..

Jamie Strandboge (jdstrand)
Changed in clamav:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Scott Kitterman (kitterman)
Changed in clamav:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.91.2-3ubuntu2.4

---------------
clamav (0.91.2-3ubuntu2.4) gutsy-security; urgency=low

  * SECURITY UPDATE: Possible heap corruprion
  * Added 31_mew.c-CVE-2008-0728.dpatch
  * References: CVE-2008-0728 ( LP: #213500 )

 -- Leonel Nunez <email address hidden> Mon, 07 Apr 2008 17:32:39 -0600

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.90.2-0ubuntu1.7

---------------
clamav (0.90.2-0ubuntu1.7) feisty-security; urgency=low

  * SECURITY UPDATE: Possible heap corruption
  * Added 60_cve-2008-0728.dpatch
  * References: CVE-2008-0728 ( LP: #213500 )

 -- Leonel Nunez <email address hidden> Tue, 8 Apr 2008 03:01:56 -0600

Changed in clamav:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.