[gentoo-announce] [ GLSA 200405-03 ] ClamAV VirusEvent parameter vulnerability - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200405-03 ] ClamAV VirusEvent parameter vulnerability
Date:	Tue, 11 May 2004 19:33:33
Message-Id:	`40A12A27.5040904@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200405-03

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: High

11

     Title: ClamAV VirusEvent parameter vulnerability

12

      Date: May 11, 2004

13

      Bugs: #46264

14

        ID: 200405-03

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

With a specific configuration (using %f in the VirusEvent parameter),

22

Clam AntiVirus is vulnerable to an attack allowing execution of

23

arbitrary commands.

24

25

Background

26

==========

27

28

- From http://www.clamav.net/ :

29

30

"Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose

31

of this software is the integration with mail servers (attachment

32

scanning). The package provides a flexible and scalable multi-threaded

33

daemon, a command line scanner, and a tool for automatic updating via

34

Internet. The programs are based on a shared library distributed with

35

the Clam AntiVirus package, which you can use with your own software.

36

Most importantly, the virus database is kept up to date."

37

38

Affected packages

39

=================

40

41

    -------------------------------------------------------------------

42

     Package          /   Vulnerable   /                    Unaffected

43

    -------------------------------------------------------------------

44

  1  net-mail/clamav        < 0.70                             >= 0.70

45

46

Description

47

===========

48

49

The VirusEvent parameter in the clamav.conf configuration file allows

50

to specify a system command to run whenever a virus is found. This

51

system command can make use of the "%f" parameter which is replaced by

52

the name of the file infected. The name of the file scanned is under

53

control of the attacker and is not sufficiently checked. Version 0.70

54

of clamav disables the use of the "%f" parameter.

55

56

Impact

57

======

58

59

Sending a virus with a malicious file name can result in execution of

60

arbirary system commands with the rights of the antivirus process.

61

Since clamav is often associated to mail servers for email scanning,

62

this attack can be used remotely.

63

64

Workaround

65

==========

66

67

You should not use the "%f" parameter in your VirusEvent configuration.

68

69

Resolution

70

==========

71

72

All users of Clam AntiVirus should upgrade to the latest stable

73

version:

74

75

    # emerge sync

76

77

    # emerge -pv ">=net-mail/clamav-0.70"

78

    # emerge ">=net-mail/clamav-0.70"

79

80

Availability

81

============

82

83

This GLSA and any updates to it are available for viewing at

84

the Gentoo Security Website:

85

86

     http://security.gentoo.org/glsa/glsa-200405-03.xml

87

88

Concerns?

89

=========

90

91

Security is a primary focus of Gentoo Linux and ensuring the

92

confidentiality and security of our users machines is of utmost

93

importance to us. Any security concerns should be addressed to

94

security@g.o or alternatively, you may file a bug at

95

http://bugs.gentoo.org.

96

97

License

98

=======

99

100

Copyright 2004 Gentoo Technologies, Inc; referenced text

101

belongs to its owner(s).

102

103

The contents of this document are licensed under the

104

Creative Commons - Attribution / Share Alike license.

105

106

http://creativecommons.org/licenses/by-sa/1.0

107

108

-----BEGIN PGP SIGNATURE-----

109

Version: GnuPG v1.2.4 (GNU/Linux)

110

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

111

112

iD8DBQFAoSonvcL1obalX08RAjecAJwNuR/ncOKtT3Xm6jyTupHVANa4NACggt/F

113

DsQi2RD/Arec/N1AuePh3Rk=

114

=O0tM

115

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200405-03
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: High
11	Title: ClamAV VirusEvent parameter vulnerability
12	Date: May 11, 2004
13	Bugs: #46264
14	ID: 200405-03
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	With a specific configuration (using %f in the VirusEvent parameter),
22	Clam AntiVirus is vulnerable to an attack allowing execution of
23	arbitrary commands.
24
25	Background
26	==========
27
28	- From http://www.clamav.net/ :
29
30	"Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose
31	of this software is the integration with mail servers (attachment
32	scanning). The package provides a flexible and scalable multi-threaded
33	daemon, a command line scanner, and a tool for automatic updating via
34	Internet. The programs are based on a shared library distributed with
35	the Clam AntiVirus package, which you can use with your own software.
36	Most importantly, the virus database is kept up to date."
37
38	Affected packages
39	=================
40
41	-------------------------------------------------------------------
42	Package / Vulnerable / Unaffected
43	-------------------------------------------------------------------
44	1 net-mail/clamav < 0.70 >= 0.70
45
46	Description
47	===========
48
49	The VirusEvent parameter in the clamav.conf configuration file allows
50	to specify a system command to run whenever a virus is found. This
51	system command can make use of the "%f" parameter which is replaced by
52	the name of the file infected. The name of the file scanned is under
53	control of the attacker and is not sufficiently checked. Version 0.70
54	of clamav disables the use of the "%f" parameter.
55
56	Impact
57	======
58
59	Sending a virus with a malicious file name can result in execution of
60	arbirary system commands with the rights of the antivirus process.
61	Since clamav is often associated to mail servers for email scanning,
62	this attack can be used remotely.
63
64	Workaround
65	==========
66
67	You should not use the "%f" parameter in your VirusEvent configuration.
68
69	Resolution
70	==========
71
72	All users of Clam AntiVirus should upgrade to the latest stable
73	version:
74
75	# emerge sync
76
77	# emerge -pv ">=net-mail/clamav-0.70"
78	# emerge ">=net-mail/clamav-0.70"
79
80	Availability
81	============
82
83	This GLSA and any updates to it are available for viewing at
84	the Gentoo Security Website:
85
86	http://security.gentoo.org/glsa/glsa-200405-03.xml
87
88	Concerns?
89	=========
90
91	Security is a primary focus of Gentoo Linux and ensuring the
92	confidentiality and security of our users machines is of utmost
93	importance to us. Any security concerns should be addressed to
94	security@g.o or alternatively, you may file a bug at
95	http://bugs.gentoo.org.
96
97	License
98	=======
99
100	Copyright 2004 Gentoo Technologies, Inc; referenced text
101	belongs to its owner(s).
102
103	The contents of this document are licensed under the
104	Creative Commons - Attribution / Share Alike license.
105
106	http://creativecommons.org/licenses/by-sa/1.0
107
108	-----BEGIN PGP SIGNATURE-----
109	Version: GnuPG v1.2.4 (GNU/Linux)
110	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
111
112	iD8DBQFAoSonvcL1obalX08RAjecAJwNuR/ncOKtT3Xm6jyTupHVANa4NACggt/F
113	DsQi2RD/Arec/N1AuePh3Rk=
114	=O0tM
115	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce