Ubuntu
clamav package

MIME bypass

Bug #76374 reported by Kees Cook
256
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
High
Unassigned
Dapper
Fix Released
Undecided
Unassigned
Edgy
Fix Released
Undecided
Unassigned
Feisty
Fix Released
High
Unassigned

Bug Description

Binary package hint: clamav

clamav prior to feisty is vulnerable to MIME decode bypass.

CVE References

Revision history for this message
Kees Cook (kees) wrote :

This is an example mbox file that has whitespace characters in it. On breezy, dapper, edgy, clamscan will scan this file as "OK". However, if you unpack it ("munpack eicar.mbox") and scan eicar.txt, the test signature is found.

Changed in clamav:
importance: Undecided → High
status: Unconfirmed → Fix Released
status: Fix Released → Unconfirmed
status: Unconfirmed → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

Note that the upstream patch from 0.88.6 to 0.88.7 does not appear to fix this problem. :(

Changed in clamav:
status: Confirmed → Fix Released
status: Unconfirmed → Confirmed
status: Unconfirmed → Confirmed
Revision history for this message
StefanPotyra (sistpoty) wrote :

Hm... upstream patch works for me (amd64, edgy chroot):

old version:
root@suut:/tmp# clamscan eicar2.mbox
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days. ***
LibClamAV Warning: *** Please update it IMMEDIATELY! ***
LibClamAV Warning: **************************************************
eicar2.mbox: OK

----------- SCAN SUMMARY -----------
Known viruses: 64282
Engine version: 0.88.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Time: 1.931 sec (0 m 1 s)

patched:
root@suut:/tmp# clamscan eicar2.mbox
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days. ***
LibClamAV Warning: *** Please update it IMMEDIATELY! ***
LibClamAV Warning: **************************************************
eicar2.mbox: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 64282
Engine version: 0.88.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Time: 1.791 sec (0 m 1 s)

can you please retry with the debdiff I'll attach in a minute? Thanks.

Revision history for this message
StefanPotyra (sistpoty) wrote :
Changed in clamav:
status: Confirmed → In Progress
Revision history for this message
StefanPotyra (sistpoty) wrote :
StefanPotyra (sistpoty)
Changed in clamav:
status: Confirmed → In Progress
Kees Cook (kees)
Changed in clamav:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Kees Cook (kees)
Changed in clamav:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.