LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

clamav: arbitrary file overwrite

Package(s):clamav CVE #(s):CVE-2007-6595
Created:February 18, 2008 Updated:August 8, 2008
Description:

From the CVE entry: ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled.

Alerts:
Gentoo 200808-07 2008-08-08
SuSE SUSE-SA:2008:024 2008-04-24
Mandriva MDVSA-2008:088 2007-04-17
Debian DSA-1497-1 2008-02-16
(Log in to post comments)

clamav: arbitrary file overwrite

Posted Feb 22, 2008 12:26 UTC (Fri) by jzbiciak (✭ supporter ✭, #5246) [Link] 

I don't scroll down this page that often, but when I do, ClamAV always seems to be here...
Why is that?

(I just did a search at the CVE database, and it tells me there were 21 vulnerabilities in the
last year.  Cross that with staggering across different distributions releasing updates for
the same vulnerability, and I guess it *would* be here pretty much every week.  Wow.)

clamav: arbitrary file overwrite

Posted Feb 22, 2008 17:00 UTC (Fri) by bronson (subscriber, #4806) [Link] 

Lessee...

http://nvd.nist.gov/nvd.cfm?advancedsearch

A quick search shows 53 vulnerabilities -- mostly medium and high -- since May 2005.  They've
been running at 1.6 vulnerabilities per month for almost 3 years!

You're not mistaken.  Can anybody explain why clamav has such an awful security record?

I ran clamav until it choked on a poorly-formatted MIME attachment in 2005 and stalled my mail
queue for days.  Since it was adding significantly to my headache surface and SpamAssassin was
rejecting most of the viruses anyway, ClamAV was banished without regret. 

That's funny...  The very program on your computer meant to reduce viruses makes it easy to --
by receiving a single email -- turne your Linux server into a virus host.  You've got fail.

(Of course, this particular bug doesn't look all that scary to me...   Nobody runs important
servers on the same box as they have untrusted users, do they?)

clamav: arbitrary file overwrite

Posted Feb 25, 2008 20:44 UTC (Mon) by janfrode (subscriber, #244) [Link] 

> Can anybody explain why clamav has such an awful security record?

Maybe because it has to support unpacking of all kinds of file formats (arj, rar, zoo, zip,
base64, uuencoded, pdf, etc..) based on unpackers/libraries which are typically not written
with with security in mind. 

CVE-2007-6337     -- vulnerability in the bzip2 decompression algorithm
CVE-2007-6336     -- ... crafted MS-ZIP compressed CAB file.
CVE-2007-6335     -- ... crafted MEW packed PE file
CVE-2007-3725     -- ... crafted RAR archive
CVE-2007-3123     -- ... crafted RAR file
CVE-2007-3122     -- bypass scanning via a RAR file with a header flag

Still I feel quite a bit safer with clamav (+selinux) on our mail gateways, than I did with
Trend Micro IMSS..

clamav: arbitrary file overwrite

Posted Feb 25, 2008 21:02 UTC (Mon) by jzbiciak (✭ supporter ✭, #5246) [Link] 

I guess that makes sense somewhat.  I imagine these vulnerabilities get fixed in the upstream
packages too, so it makes everything more secure.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds