|
Message-ID: <5298D5AC.5050508@redhat.com> Date: Fri, 29 Nov 2013 10:58:04 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: ClamAV vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/29/2013 02:20 AM, Sergey Popov wrote: > It's a bit late, but i would like to request CVE for two > vulnerabilities, that present in ClamAV before 0.97.7[1]: > > 1) A double-free error exists within the > "unrar_extract_next_prepare()" function > (libclamunrar_iface/unrar_iface.c) when parsing a RAR file. > > 2) An unspecified error within the "wwunpack()" function > (libclamav/wwunpack.c) when unpacking a WWPack file can be > exploited to corrupt heap memory. > > [1] - https://secunia.com/advisories/52647/ > The blog entry http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html contains no mention of security flaws, Also the ChangeLog: https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog Doesn't contain any mention of the above flaws. Can you provide links to source code/bug reports or something so I can verify this? Thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSmNWsAAoJEBYNRVNeJnmThXsP/jeOtL/zWdpxvSX6JEDw0OPj jhOr77n6thgze2U/wAnzqJNYrVu9zgbXo7PeIursWztKWOky90TZsVaYjsiCgQ0N iDo6WfG4h2Ee0b0L6MLTyADx9LCvYwdLcnjVOgzgAaQDirSTU0nc7oUdkMixTOXR xn6HEnGBxhw7o9xZbGWJL9fLxGrqnSvMowpTiH+qG1oiC7ShUvdI/k+5Fr2adX1E 47gz+dZazGdj39u2aryXA3uRA1PFMFm5zVJcPz6Vuv0tZlZVWh1dA2OMeOSZdok4 q8pd6WYiXDJdIWq9hpGwyR70GrJg0gsE8Dhw6KVtGu2V61BdX0dLxqnT5zhxxmFY DdyeFLkPTsEDUUj7wj7mciEgwXgUT2aiHrhXD6m9t+FvmU6MFD18HH0y7uD3vACU OBvOExWqcV/8rWmA3+VTAvgLXFCmVfNca6NP/d5oAnmeJRTGvBnyIGQwB95ozSbs fo0OvTm45CPzJVyiEX/7P1S73qLgnWV4Y0FLNg4mj5Qs2GkMs+LVGFxGOKr5XKed MdIk7Fa+xNMwI/qzJEYdA0xK1WPeDrwt5fpxJFoMjKqwF6jImmgUuQMZ5bvC0sqY bVTUzww4iPBvdY75yGH9F4BHacw+kw7MI9WUo9SJ32n047NB+UViRpAtvhshV6na bRvHsNYzqwUdW8msUh+0 =MZ61 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.