Four ClamAV Vulnerabilities Discovered, Fixes Released

The US-CERT website posted an advisory in relation to multiple ClamAV vulnerabilities. In total, four vulnerabilities were discovered which could result in remote code execution or a denial of service attack.

Fortunately, ClamAV have released version 0.93 with fixes for these issues. The change log shows the following fixes:

Mon Apr 14 21:35:11 CEST 2008 (tk)
———————————-
* Check in 0.93 patches:
– libclamunrar: bb#541 (RAR – Version required to extract – Evasion)
– libclamav/spin.c: bb#876 (PeSpin Heap Overflow Vulnerability)
– libclamav/pe.c: bb#878 (Upack Buffer Overflow Vulnerability)
– libclamav/message.c: bb#881 (message.c: read beyond allocated region)
– libclamav/unarj.c: bb#897 (ARJ: Sample from CERT-FI hangs clamav)
– libclamunrar: bb#898 (RAR crashes on some fuzzed files from CERT-FI)

The update to ClamAV is available for download here